Office 365 is a popular application and not just among businesses. For many home users it’s a go-to application for Word and Excel docs. A cybercriminal gang, however, is exploiting its popularity by cunningly tricking users into calling a bogus call centre, with the ultimate aim of installing ransomware onto their computers.
  • Phishing emails are being sent to Office 365 users attempting to trick them into calling a phone number operated by the cyber villains.
  • According to Microsoft some of the emails claim to come from a photo editing service or recipe website or ‘confirm’ that a software license has been purchased.
  • Other emails claim that a trial subscription is expiring and an individual's credit card will soon be automatically charged.
The email disguises may vary but the underlying message is typically the same, to get the email recipient to call a telephone number.
  • The important thing to understand is that the emails do not have an attachment, and do not have a link for the user to click on. Instead they merely provide a phone number for recipients to call if they wish to make a query.
As such many people might believe that calling a phone number is safe.

If you do call the number, you are put through to a human-operated call centre for a website.
  • The call centre agent tells the caller to visit the account page of the website and download a macro-enabled Excel spreadsheet in order to cancel the subscription.
  • Microsoft is saying that the call centre support agents may even encourage victims to ignoring warnings from their security software as the spreadsheet is downloaded.
  • Once opened the Excel spreadsheet claims to be protected, and tells users to "Enable Content" in order to view its contents.
The miscreant’s objective is to get the user to download malicious code hidden in the Excel spreadsheet. This code then creates a backdoor in the victim’s computer so the attacker can control the PC.

Microsoft says attackers could steal data from the computer or install ransomware within 48 hours of contact with the victim.

This attack method is one you to need be aware of given that the emails initially appear ‘genuine’ because they only contain a phone number. However, any request to open a document on your computer is a huge red flag.