Microsoft Docs Login Form Phishing Scam: Overview

Phishing e-mail campaigns are used to steal sensitive data such as login information and usually their success depends on a user clicking a link which leads to a phishing website that looks like a regular login page. However, not all phishing campaigns use remote websites as we are about to see.

Scammers continue to surprise us with their methods.

Several email users across the country have recently reported that they received emails that looked like traditional payment notifications phishing with a fairly usual text: “Good day, please find attached a copy of your payment notification.” The HTML attachment (invoice.html or payment.html) it carried turned out to be anything but usual, instead it redirects the browser to a fake login page.

So, when opening the 930 kb file in a regular text editor, right after the first line – <! — Internal Server Error –> there are more than four thousand empty lines followed by a lot of obfuscated JavaScript code (more than 500k characters).

The next step is to load the website in a browser. After opening the file in Firefox, it became obvious why the script was so large. Unlike most other HTML-based phishing attachments, this one didn’t depend on an external fake login page but carried the entire thing within its body.

Although the page was supposed to look like a Microsoft Docs page, the scammers provided a list with multiple valid e-mail providers such as Gmail, Yahoo, AOL, Hotmail, Office365 etc. one could use to “log in”.

The catch for such a scheme to work is to create a page that looks genuine and inspires trust for users to fill in their login information. From our observations, in this particular case, scammers did a pretty good job as the page under examination feels authentic.


MS login page


After the user supplies an e-mail and a password, the website appears to connect the session to the e-mail server, but actually, it sends a HTTP GET request containing login data specified by the user to a remote web server at hxxp://


GET request


Subsequently, an additional request for a phone number and a recovery e-mail is displayed to the user. When those fields are filled in as well and sent to the same domain as before, although this time using a POST request, the browser is redirected to a low-quality picture of the supposed invoice and right after that the page is redirected again, but this time to either a genuine Microsoft website or to the domain specified in the recovery e-mail supplied by the user.

Sending user’s login information to a server and then redirecting the browser to a legitimate web page is normal behavior for a phishing page. Although, in this case the phishing page not only steals the credentials but also transfers them online without any encryption in plain HTTP to a remote location.

Besides that, what is unusual about this phishing is the fact that the entire phishing page was delivered as an attachment. We believe that this was intended to avoid email security filters and analytics on web proxies. Also, by generating the landing page locally, the attackers reduce the risk that their landing page will be discovered and removed, but whatever the reason was, their M.O. is quite ingenious.

However, this isn’t the first phishing scam with a similar “self-contained” website, but this was the first time we came across such a complex HTML phishing attachment that carried all the scripts and files in one package and didn’t depend on a remote server for anything else than for collecting the stolen credentials.


At StratusPointIT, we support all our customers by offering them guidance, training and professional IT security features to prevent advanced cyber-attacks such as this one from compromising their systems.

Few Reasons Why 24×7 Network & Server Support Is Mandatory

Imagine what happens if your organization’s network or server(s) suddenly goes down one night? In case you didn’t plan something, there are two scenarios: either incredibly high over-time costs or solving the issue/s during the workday.

Having 24×7 monitoring of your network and server(s) will ensure that your organization can keep working around-the-clock and that every IT issue is solved as it comes up, avoiding a destructive cascade of failures.

Procure an Instant, Experienced Support Team & Save Money

Rather than having to rely on one or two IT employees, a company with a managed IT service solution expanding network, server, and help desk support has immediate access to a qualified, experienced team. Its members will be able to quickly identify the source of the problem and resolve it in a timely manner, so that your organization doesn’t experience substantial business disruption.

A managed IT service solution will free up your IT staff, so that your IT department can focus on more important issues. That means you won’t be paying your IT team overtime, instead, you’ll be able to use their knowledge and experience to optimize the existing infrastructure looking for new technologies to improve business operations.

Businesses today cannot afford downtime

When their IT infrastructures get hit, their internal workflow will stop, and organizations will be unable to deliver their products/services to their waiting clients, losing money and getting their brand affected as a result. Some companies can suffer hits and overcome episodes like these, others can’t.

Technical problems may occur. Hardware/software issues are always a possibility. Of course, not every IT support issue can cause a disaster and not every issue is urgent, but how your IT Help Desk responds is crucial because it can make the difference between a little hiccup and a massive business interruption.

Here are two key reasons why 24×7 network and server support should never be optional.

24×7 Monitoring

People may stop working on nights or over weekends, but systems don’t. Your help desk should be teamed with 24×7 remote monitoring catching little IT issues before they become big ones, in many cases before you’re even aware there’s an issue.

With 24×7 monitoring, there’s a good chance that your help desk will already be aware of the problem you’re experiencing and are actively working to resolve it.

Urgent Issues

This may seem like a costly luxury, but it’s not. The team providing 24×7 monitoring can also provide 24×7 support in much the same way that grocery stores can stay open all night since employees are already there stocking shelves.

Of course, your team may not always be working nights and weekends, but when they are, it’s probably for an important reason. The last thing they need is to be blocked because they can’t get support.


24×7 Network and Server Support is not a luxury, but rather a requirement. A requirement that will avoid hassles and keep your team happy and productive.

Why Businesses Need to Create a Risk Profile to Prevent Cyberattacks

Think about the last time you were afraid of something. Did you approach the situation rationally? If so, you’re in the minority. Most people are terrible at being rational when afraid. And where cybersecurity is concerned, that’s exactly what criminals are counting on. 

In 2018, the Data Science Institute at Columbia found that surgeons under stress tend to make up to 66 percent more mistakes in the operating room. You’re probably wondering what, if anything, this has to do with cybersecurity. A great deal, actually.

It’s proof positive that even medical professionals are prone to error when under extreme stress. The cybersecurity industry is no different.

There’s no shortage of sensationalism around the cybercrime industry. You can’t even turn on the news without hearing about some new and terrible threat facing the digital world. To hear the media tell it, cybersecurity is an industry in a perpetual state of crisis.

A looming talent shortage and overworked employees. Irreducibly complex and sophisticated cyberattacks led by state-sponsored black hats. Unstoppable botnets that can bring the entire Internet to its knees. Powerful tools like ransomware-as-a-service that allow even the least tech-savvy of individuals to execute advanced attacks.

These are all things that are happening, true. And they’re extremely intimidating to think about. If a well-funded black hat organization were to set its sights on your business, there would be little you could do.

The thing is, devastating cyber-incidents like the ones we see so frequently online?  They are not the norm. They’re just what makes headlines.

In actuality, the vast majority of cyber-attacks and data leaks are neither complicated nor targeted. They are shotgun cyberattacks that effectively throw malicious software and attack vectors at the wall to see what sticks. If you don’t want to take my word for it, have a look at the stats below.

What I’m trying to say is that too often, corporate cybersecurity veers to one of two extremes. Either we get sloppy because we think it can’t possibly happen to us, or we become paranoid, terrified at the dangers that exist on the web. Neither is the correct path.

Instead, businesses need to create and analyze their risk profile. They must endeavor to understand their unique organizational workflows, data requirements, and security threats. And perhaps more importantly, they must take a proactive role in both enabling employees and protecting corporate assets.

This is not something that can be done from a place of fear, stress, or paranoia. It needs to be careful, measured, and well planned. It needs to be an organization-wide, multi-departmental approach as well. That way, you don’t have a single group of people shouldering the burden for absolutely everyone.

About the Author:

Tim Mullahy is the Executive Vice President and Managing Director at Liberty Center One, a new breed of data center located in Royal Oak, MI. Tim has a demonstrated history of working in the information technology and services industry.