During the last week of January 2021, cyber security provider TrendMicro shared a blog post highlighting an Office-365 phishing campaign that criminals have targeted executives within manufacturing, tech, real estate, government, and finance since May 2020. As part of the scam, fraudsters sent the victims fake emails with links to a phishing site, where they harvested their credentials to sell them to other malicious entities online.

These phishing attempts are particularly dangerous because executives often have access to a wide variety of information at an organization and aren’t always actively engaged in security awareness training, making them a lucrative target for experienced cyber criminals.

The series of attacks indicates that C-Suite executives are just as vulnerable to cyber attacks as employees, if not more so. With the average attack resulting in a loss of $1.6 million, this Office-365 phishing campaign presents an existential threat to modern enterprises.

This article will examine how the Office-365 phishing scam works, identify how cyber security leaders can minimize the threat, and provide tips for executives so that they can protect themselves from unscrupulous actors online.

The Office-365 Phishing Scam: Here’s What Happened

The Office-365 phishing campaign is a textbook phishing scam where the fraudsters send victims a fake password expiration email with Microsoft branding, notifying them that their Office 365 password will expire soon. Obtaining a C-Suite executive’s credentials through such an attack can be a very lucrative asset for cyber criminals to sell on the black market.

Partway through the email, the criminals give the victim the option to “change” or “continue” with the same password and provide them with a hyperlinked “KEEP PASSWORD” button. Clicking on the link takes the victim to a phishing site where the hackers harvest their information to sell to other cyber criminals online.

After obtaining the victim’s information, the hackers began selling the account credentials online through English and Russian speaking forums, with prices ranging from $100 to $1,500 online. So far, Trend Micro has discovered over 300 compromised URLs and 40 email addresses of CEOs, directors, owners, and founders from various organizations.

These attacks are also harder to defend against as the cyber criminals have developed a phishing kit with a list of domain names and IP address ranges designed to stop security vendors like Google, Microsoft, and VirusTotal from detecting malicious content. The kit can also identify bot scanning or crawling and present alternative content to avoid being detected by security tools.

How to Stop Spear Phishing Attempts Targeting Executives: Tips for Cyber Security Leaders

There are some key actions cyber security leaders can take to reduce the chance of executives falling victim to spear phishing attempts:

1.   Educate executives about phishing and spear phishing

Educate executive staff and assistants by providing security awareness training and free phishing simulation tools to ensure they’re aware of the threats they face online. Greater awareness of security risks and best practices will help them detect phishing scams and avoid handing over sensitive information.

2.   Provide ongoing communication campaigns

Send out regular email newsletters as part of a communication campaign to let executives and employees know about the latest threats. Communication campaigns can also include security guidance on avoiding opening email attachments and URLs.

3.   Encourage executives to take part in phishing awareness training

Try to get executives to take part in your phishing awareness program and complete phishing microlearning modules, so you can monitor their overall threat awareness and identify ways they can change their behavior.

4.   Keep all infrastructure up-to-date

Ensure that all applications, software, networking tools, and operating systems are updated so that they don’t have any vulnerabilities. Install anti-malware protection and anti-spam software for an extra layer of defense.

5.   Outline phish reporting protocols

Let executives know how to report suspected phishing attempts. If there is a live threat, the IT department can quickly protect other users and information from being exposed.

6.   Delegation of authority

Implement delegation of authority for executive assistants and executive support staff, instead of sharing the executive’s passwords.

How to Prevent Spear Phishing: Tips for Executives

There are several things that executives can do to avoid falling victim to spear phishing attempts:

1.   Avoid opening emails from unknown senders

Clicking on emails from unknown senders puts you at risk of malicious content like scam emails, so always check all senders’ names and email addresses, and only open emails from senders you know and trust.

2.   Carefully inspect links and attachments

Even if an email appears legitimate, carefully inspect the message, links or attachments as hackers use these to transit malware or lead you to phishing sites so they can steal your information.

3.   Engage in security awareness training

If your organization has a security awareness training program, make sure that you engage with it and any educational materials or phishing simulations provided to learn more about the type of threats you are exposed to online.

4.   Update all the devices and applications you use

Regularly update all applications, operating systems, network tools, and software you use to ensure there are no vulnerabilities that attackers can exploit. Where possible, use anti-malware and antivirus solutions to protect your devices further.

5.   Scrutinize emails for suspicious elements

Whenever you receive a new email, carefully check through the email text for spelling mistakes and grammatical errors and look out for any language that promotes urgency or tries to encourage you to provide personal information by a specific date because these are almost certainly a scam.


The Office-365 C-suite phishing campaign has shown that fraudsters are increasingly focusing on high-value targets like CEOs and executives because they have access to a goldmine of information and don’t always have the time to apply due diligence to every message they receive during their busy schedule.

The only way to prevent your organization from being caught out by this type of spear phishing is to ensure that executives have access to comprehensive security awareness training, so safe online conduct becomes instinctive.



The Latest Click Rate Benchmarking for Security Awareness Leaders

Get your complimentary copy of the 2020 report!