Security Advisory Archives

Office 365 Phishing – Non-Delivery Notifications

December 13, 2018

Office 365 Phishing – Non-Delivery Notifications

Research carried out by the SANS ISC team has found a new Phishing attack in the wild that targets Microsoft Office 365 users, through the use of fake Non-Delivery Report (NDR) emails.NDR’s are sent to let you know that there has been an issue with delivering an email you have sent and provides information on why the email delivery was unsuccessful.This phishing email imitates a real Microsoft NDR in an attempt to steal the users Office 365 login username and password.Below is an image of a real NDR email from Microsoft:

Office 365 NDR

The image below shows what the fake NDR email looks like:

O365 Phishing email

At first glance this is a very convincing and has the potential to trick most people who do not look more closely into the email. Clicking on the Send Again link redirects the user to a phishing website that mimics the login page for Microsoft.The image below shows the fake login page:

Office 365 phishing login site

If the user continues to enter their login details into this site, then the attacker has been successful in stealing the credentials of the users Office 365 account. This account should now be deemed as compromised, and immediate actions are required.

What do I do or look out for?

If you receive what you believe to be a fake email, look out for the following:

  • Check the sender email address, this can be an indication that it’s fake. Normally an NDR is sent by ‘Microsoft Outlook’.
  • Check your sent items to confirm whether you did try to send an email to the stated recipient.
  • ‘Send Again’ links and buttons are not normally contained in these NDR emails. Do not click on email links unless you are certain the sender is trusted.
  • If you do accidentally click on the link or think that the link is genuine, check the address bar for the page and confirm its going to a Microsoft address.
  • If you are unsure never click on a link or enter your login details.
  • If you believe you have clicked on a link or entered your details into a phishing site, immediately change your password, and contact your Administrator / Security team ASAP to inform them of the issue. The earlier they know about the issue the more likely they can prevent significant damage or compromise.

What can I do to prevent this in the future?

User education on these types of phishing threats combined with good technology controls can help to prevent these types of attacks from impacting your business.

  • Enabling two-factor authentication for your Office 365 user accounts (using the Authenticator smartphone app) can help prevent unauthorised access to accounts when usernames and passwords are stolen.
  • The Cisco Umbrella Secure Internet Gateway can prevent access to fake phishing sites that attempt to steal user’s login details, when users are tricked into clicking fake phishing email links.
  • Email security products, such as Cisco Email Security can help prevent phishing emails from reaching your users.

Ironshare – Security Simplified


Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.

Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.

Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.


Ironshare is a provider of Information and Cyber Security services.

we went with; wizard pi