X
Business
Home Business Companies Microsoft

Fake Microsoft security bulletin in the wild

If you (or someone you know) receives an e-mail about a zero-day exploit affecting Microsoft Outlook do not, under any circumstances, click on the links embedded in the message. It's a phishing scam folks. The Security Bulletin (MS07-0065) it points to doesn't exist. And just because it can never be said too often, I'll say it again here. Microsoft does not alert users to security issues via e-mail. Ever. That's what Windows Update is for.Details from Sophos are available here.
Written by Marc Orchant, Contributor
Fake Microsoft security bulletin in the wild
If you (or someone you know) receives an e-mail about a zero-day exploit affecting Microsoft Outlook do not, under any circumstances, click on the links embedded in the message. It's a phishing scam folks. The Security Bulletin (MS07-0065) it points to doesn't exist. And just because it can never be said too often, I'll say it again here. Microsoft does not alert users to security issues via e-mail. Ever. That's what Windows Update is for. Details from Sophos are available here.

In the closing paragraphs of their announcement, Sophos describes why this vector has become so popular for phishers and hackers – people have learned that patching their systems against exploits is part of their "job" in keeping their systems running properly but haven't yet completely grasped the potential vulnerability that awareness creates if they allow themselves to be duped into reacting to messages like this.

"Security bulletins from Microsoft describing vulnerabilities in their software are a common occurence, and so its not a surprise to see hackers adopting this kind of disguise in their attempt to infect Windows PCs," said Graham Cluley, senior technology consultant for Sophos. "The irony is that as awareness of computer security issues has risen, and the need for patching against vulnerabilities, so social engineering tricks which pose as critical software fixes are likely to succeed in conning the public."

In examples seen by Sophos experts, the emails have contained the recipient's full name, and the company they work for, in an attempt to lull user's into a false sense of security.

"By using people's real names, the Microsoft logo, and legitimate-sounding wording, the hackers are attempting to fool more people into stepping blindly into their bear-trap," continued Cluley. "Users need to be on their guard against this kind of confidence trick or they risk handing over control of their PC to hackers with criminal intentions. They should also ensure that they are downloading Microsoft security updates from Microsoft itself, not from any other website."

Update: Well, a number of commenters have corrected me  on my statement that Microsoft does not provide security alerts via e-mail. Apparently they do – on an opt-in subscription basis. And, apparently, the e-mails are PGP-signed (although, as the person who informed me of this pointed out, the vast majority of people don't have PGP installed). My best advice to those of you who prefer to be safe rather than sorry is to use Windows Update to check for any security (or performance-related) updates.

Editorial standards
Show Comments

Related

Microsoft Copilot

7 reasons I use Copilot instead of ChatGPT

pxl-20240424-181716738

Facebook's Meta AI is lying when it says you can disable it - but here's what you can do

asus-zenbook-14-main

The work laptop I recommend to most people is not made by Apple or Lenovo