Microsoft, phishing emails, and lessons to learn

Microsoft’s Safety & Security Center [sic] is loaded with cracking advice.

They have nice section on phishing emails.

It gives some pointers on what a likely phishing email contains, so you can decide whether or not to act on it, and how to go about reporting it.

I got an email recently which stank of phish.

All the hallmarks of a phishing email were there, almost perfectly in-line with Microsoft’s own advice:

• Contained a generic, impersonal message
• Sent from a service generally seen as trusted (popular company)
• Required that I act on it within a deadlined time frame (a threat)
• Contained direct links to “helpful” resources (links in the HTML formatted email)

Here’s Microsoft’s phishing checker:

I dug a bit deeper and found that the source headers suggest that sender is not spoofed (sender domain matched the address). It passed DMARC and SPF tests, and the Return-Path and From headers are consistent.

“And? So what?” I hear you ask.

Well, this is the email:

…from Microsoft :-)

What they should have done

• NOT included links in the content; instead direct the user to log in to their own account
• NOT used such a threatening tone including words such as ‘your files will be deleted’

…just as they advise on their own site, about how to avoid making mails look like phishing!