How to encourage phishing: send email to users from a different domain than they are subscribed to
Posted by jpluimers on 2023/06/08
Many organisations train their personell with phishing attempts from domains that are different from the one the organisation uses.
The mantra is: only respond to emails (or clicking links in them) from domains you know.
Microsoft sent (still sends?) account expiration emails for various *.microsoft.com, *.visualstudio.com and other Microsoft domains like this:
[Wayback/Archive] 232840055-2ccfdb9b-2a13-4a34-92f5-f27f337825f8.png (766×653) email from
Microsoft account team <account-security-noreply@mail.msa.msidentity.com>
When asked Microsoft web-care on twitter via [Wayback/Archive] Jeroen Wiert Pluimers @wiert@mastodon.social on Twitter: “Hi @MicrosoftHelps , Is this phishing? If not: whey do you send out emails that look like they are phishing? Previous mails to my unique destination email address originated from the microsoft.com domain. Regards, –jeroen”
Their DM response was summarised “…,the email you receive is definitely a scam. …” but something triggered me do dig further so I did. After that I responded this in both DM and Twitter [Wayback/Archive] Jeroen Wiert Pluimers @wiert@mastodon.social on Twitter: “While web-care thought it was SCAM, it isn’t. I checked. This is the Microsoft way of notifying you that a Microsoft account is about to be deleted because of inactivity reasons. So I sent back the DM in he screenshot (alt-text spread over 2 images). CC @ngrynerds @jilles_com”
Hi Thea,
Thanks for getting back.
I did some more checks and I think it is not a scam but very confusing.
Please try to escalate this within Microsoft to switch from using account-security-noreply@mail.msa.msidentity.com to an
@microsoft
.com based email sender.The steps I followed were from a burner environment, where I:
1. checked lookup.icann.org/whois/en?q=msidentity.com&t=a which indicates that it is indeed a Microsoft domain
2. checked the “here” link in the email that points to go.microsoft.com/fwlink/?LinkId=2086738 and redirects to support.microsoft.com/en-gb/topic/microsoft-account-activity-policy-7c0a9fa7-0982-b7c6-fd72-df852b63699f
3. checked the email source and SMTP headers to verify the destination address was indeed mine
4. checked the destination address at account.live.com/closeaccount.aspx which indeed indicated the account had been inactive for 2 yearsConclusion is that:
– the mail is legit
– will get into SPAM because it is hardly used
– triggers all kinds of phishing warningsSending from account-security-noreply@mail.msa.msidentity.com is exactly what security training is about: delete the email, don’t respond.
If I had not responded, the underlying account would have been deleted including (in this cast) the underlying visualstudio.com access.
Digging
- [Wayback/Archive] ICANN Lookup – WHOIS:
msidentity.comwith response [Wayback/Archive] 20230418 https://lookup.icann.org/whois/en?q=msidentity.com&t=a response
…
Registrant Name: Domain Administrator Registrant Organization: Microsoft Corporation Registrant Street: One Microsoft Way, Registrant City: Redmond Registrant State/Province: WA Registrant Postal Code: 98052 Registrant Country: US
…
- [Wayback/Archive] go.microsoft.com/fwlink/?LinkId=2086738 redirecting to [Wayback/Archive] Microsoft account activity policy – Microsoft Support
- [Wayback] account.live.com/closeaccount.aspx
- [Wayback/Archive] Visual Studio: IDE and Code Editor for Software Developers and Teams
–jeroen
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Domain Name: msidentity.com | |
| Registry Domain ID: 2014447737_DOMAIN_COM-VRSN | |
| Registrar WHOIS Server: whois.markmonitor.com | |
| Registrar URL: http://www.markmonitor.com | |
| Updated Date: 2023-02-17T09:34:43+0000 | |
| Creation Date: 2016-03-21T19:14:15+0000 | |
| Registrar Registration Expiration Date: 2024-03-21T00:00:00+0000 | |
| Registrar: MarkMonitor, Inc. | |
| Registrar IANA ID: 292 | |
| Registrar Abuse Contact Email: abusecomplaints@markmonitor.com | |
| Registrar Abuse Contact Phone: +1.2086851750 | |
| Domain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited) | |
| Domain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited) | |
| Domain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited) | |
| Registry Registrant ID: | |
| Registrant Name: Domain Administrator | |
| Registrant Organization: Microsoft Corporation | |
| Registrant Street: One Microsoft Way, | |
| Registrant City: Redmond | |
| Registrant State/Province: WA | |
| Registrant Postal Code: 98052 | |
| Registrant Country: US | |
| Registrant Phone: +1.4258828080 | |
| Registrant Phone Ext: | |
| Registrant Fax: +1.4259367329 | |
| Registrant Fax Ext: | |
| Registrant Email: domains@microsoft.com | |
| Registry Admin ID: | |
| Admin Name: Domain Administrator | |
| Admin Organization: Microsoft Corporation | |
| Admin Street: One Microsoft Way, | |
| Admin City: Redmond | |
| Admin State/Province: WA | |
| Admin Postal Code: 98052 | |
| Admin Country: US | |
| Admin Phone: +1.4258828080 | |
| Admin Phone Ext: | |
| Admin Fax: +1.4259367329 | |
| Admin Fax Ext: | |
| Admin Email: domains@microsoft.com | |
| Registry Tech ID: | |
| Tech Name: Domain Administrator | |
| Tech Organization: Microsoft Corporation | |
| Tech Street: One Microsoft Way, | |
| Tech City: Redmond | |
| Tech State/Province: WA | |
| Tech Postal Code: 98052 | |
| Tech Country: US | |
| Tech Phone: +1.4258828080 | |
| Tech Phone Ext: | |
| Tech Fax: +1.4259367329 | |
| Tech Fax Ext: | |
| Tech Email: domains@microsoft.com | |
| Name Server: ns1-39.azure-dns.com | |
| Name Server: use2.akam.net | |
| Name Server: ns4-39.azure-dns.info | |
| Name Server: ns1-169.akam.net | |
| Name Server: ns3-39.azure-dns.org | |
| Name Server: eur2.akam.net | |
| Name Server: usw1.akam.net | |
| Name Server: ns2-39.azure-dns.net | |
| DNSSEC: unsigned | |
| URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ | |
| >>> Last update of WHOIS database: 2023-04-18T17:18:33+0000 <<< | |
| For more information on WHOIS status codes, please visit: | |
| https://www.icann.org/resources/pages/epp-status-codes | |
| If you wish to contact this domain’s Registrant, Administrative, or Technical | |
| contact, and such email address is not visible above, you may do so via our web | |
| form, pursuant to ICANN’s Temporary Specification. To verify that you are not a | |
| robot, please enter your email address to receive a link to a page that | |
| facilitates email communication with the relevant contact(s). | |
| Web-based WHOIS: | |
| https://domains.markmonitor.com/whois | |
| If you have a legitimate interest in viewing the non-public WHOIS details, send | |
| your request and the reasons for your request to whoisrequest@markmonitor.com | |
| and specify the domain name in the subject line. We will review that request and | |
| may ask for supporting documentation and explanation. | |
| The data in MarkMonitor’s WHOIS database is provided for information purposes, | |
| and to assist persons in obtaining information about or related to a domain | |
| name’s registration record. While MarkMonitor believes the data to be accurate, | |
| the data is provided "as is" with no guarantee or warranties regarding its | |
| accuracy. | |
| By submitting a WHOIS query, you agree that you will use this data only for | |
| lawful purposes and that, under no circumstances will you use this data to: | |
| (1) allow, enable, or otherwise support the transmission by email, telephone, | |
| or facsimile of mass, unsolicited, commercial advertising, or spam; or | |
| (2) enable high volume, automated, or electronic processes that send queries, | |
| data, or email to MarkMonitor (or its systems) or the domain name contacts (or | |
| its systems). | |
| MarkMonitor reserves the right to modify these terms at any time. | |
| By submitting this query, you agree to abide by this policy. | |
| MarkMonitor Domain Management(TM) | |
| Protecting companies and consumers in a digital world. | |
| Visit MarkMonitor at https://www.markmonitor.com | |
| Contact us at +1.8007459229 | |
| In Europe, at +44.02032062220 | |
| —- |
The Wiert Corner - irregular stream of stuff 
Leave a comment