2018-07-18: Warning about new type of fraudulent/phishing page (appearing to be about a Dropbox message)

Hello all,

We’ve started to see a somewhat new type of phishing message directed to some of our faculty and staff.  Below is a screenshot of the message (the red square is added by me and the recipient’s info is redacted).

What is interesting about this is that there is no actual attachment (other than an image file).  The section where it looks like a PDF attached (I’ve highlighted this with a red box) is just an image file with a link to an external/fraudulent site.
The actual destination link of the site I’ve included below (with part of it removed so no one clicks on it):
http://https-login-microsotfonline-com-verified.{REDACTED SITE}.com /verified={REDACTED}

They include a whole bunch of stuff at the beginning of the site’s address to make it LOOK like it is legitimate - but the actual site that owns it is not Microsoft (or microsotf – as it is misspelled here intentionally).  Despite their use of the word ‘verified’ or ‘https’ in the site, it is to a site mentioning “constructioninc” in the address (whether this is a legitimate site that got hacked, or a site setup just by the scammers, I don’t know).
 

Screenshot of fraudulent dropbox message

Regardless, if you had clicked on the site – they would bring you to a page that looks similar to Microsoft’s login site for Office 365 (though without the New Paltz branding), as seen in the screenshot below:

Screenshot of fraudulent landing page - that is made to look like the Office 365 login page