An Office 365 phishing attack presented itself as the US Department of Labor

by Don Sharpe
Don Sharpe
Don Sharpe
Don has been writing professionally for over 10 years now, but his passion for the written word started back in his elementary school days. His work has been... read more
Affiliate Disclosure
  • A new phishing campaign masquerading to be part of The US Department of labor has been reported.
  • Users who bid on the link will be directed to a domain that is similar to the real domain of the department.
  • The attack is targeting the users’ credentials, especially emails and passwords.
VPN targeted for cyber attacks

As part of a new phishing campaign, scammers are impersonating the United States Department of Labor (DOL) in order to steal Office 365 credentials.

But why target Office 365? The answer is simple: Office 365 is one of the most popular platforms for business productivity suites. In fact, it’s so popular that it’s currently used by 28 million businesses worldwide. 

The emails are sent from spoofed domains that look as if they came from the actual DoL site, while some are based on a set of newly created look-alike domains.

Some of the spoof domains include:

  • dol-gov[.]com
  • dol-gov[.]us
  • bids-dolgov[.]us

The attack works by spreading its messages through servers owned by non-profit organizations, which are often ignored by email filtering software. This allows the emails to pass freely through traditional security solutions.

The sender pretends to be a senior DoL employee who invites the recipient to submit their bid for an ongoing government project. 

The email includes a link to what appears to be an Office 365 login page, but is actually a rogue site where the victim’s login credentials are captured and then used to access the legitimate Office 365 environment.

Targets are sent a message from what appears to be an official DoL address, but which is in fact from a scammer, according to Microsoft. The email asks the target to submit their bid for an ongoing government project but includes a link that leads to a fake landing page.

The emails contain a valid letterhead, professional layout and content, as well as a three-page PDF attachment containing what appears to be a legitimate form. 

Users are also being told to keep watch on the following domains as they are also part of the scam.

  • opendolbid[.]us
  • usdol-gov[.]com
  • bid-dolgov[.]us
  • us-dolbids[.]us
  • dol-bids[.]us
  • openbids-dolgov[.]us
  • open-biddolgov[.]us
  • openbids-dolgov[.]com
  • usdol-gov[.]us
  • dolbids[.]com
  • openbid-dolgov[.]us
  • dol[.]global

Keeping a watch on all these sites can be cumbersome so as an additional layer of security, any site that asks for your Office 365 credentials to view a document should be ignored.

What are some tips and tricks you use to keep off phishing scams? Share your thoughts in the comment section below.