– The scam aims to steal your username and password for your Microsoft 365 account. It’s easy to go on because the sender of the scam email is a person you’ve previously contacted by email. This will probably make many people trust the email and perceive it as genuine, download the attachment and provide their login details. They must not do that, warns senior adviser at the Norwegian Center for Information Security (NorSIS), Vidar Sandland, in a press release.
The background is a new scam circulating that abuses the Dropbox name to trick recipients into giving out information.
According to Sandland, it may look as if the scam starts with the scammers gaining control of someone else’s email account and then using it to share a PDF attachment via the Dropbox cloud service.
The recipient, who sees that the sender is known and senses peace and no danger, must log in with their own Dropbox account to view the PDF file.
NorSIS explains that the file only consists of an image with a link to a fake login page for Microsoft 365. If you enter your login details here, you have given the information to the scammers and they have potentially full access to your account.
– The security mechanisms will not catch the fraudulent e-mail because it links to a legitimate Dropbox sharing, where the username and password of this service do not go astray, Sandland warns.