In the vein of beating a dead horse, our Threat Operations Center has found another fake Microsoft Outlook/Outlook Express scam with a link to malware making the rounds.  This new variant shows a bit more effort in attempting to make the email appear as if it is actually from Microsoft.

This new tactic is similar to the two previous instances that we have seen over the course of the last 3 weeks where emails were being sent out that claimed to link to updates for Microsoft Outlook and Outlook Express.  The previous emails were text based, however and outside of using the names of Microsoft products as a lure, didn't contain any convincing social engineering to convince the recipient that the message was authentic.  This new tactic does go one step further to create an HTML based message that looks similar to the formatting that one would see when viewing a Microsoft Tech Bulletin. 

A screen shot of the received message is below:




As you can see, this isn't the full message, but the pertinent parts are included.  There are several links at the bottom of the message labeled "Contact Us", "Privacy Statement", and a couple of others which link off to the Microsoft site in an effort to make the email appear more authentic. 

The creators of this new variant also put a little extra care into how they crafted the URL used in the email.  As you can see from the example above the display URL appears as if it is going off to update.microsoft.com, which isn't uncommon.  In the background these links are typically either going directly to an IP address or to a domain that is clearly not associated with the company they are spoofing.  The tactic being used here is the latter of the two, but you have to pay close attention because if you just quickly glance at the URL, you'll miss something important. 

For example, here is one of the URLs that our TOC observed:

hxxp://update.microsoft.com.hfhilf.com/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=137389514006574829074907904242972292094527445893638626111136583

You'll notice that the link is really going to "hfhilf.com", clearly a domain not associated with Microsoft, but prepended to the domain is "update.microsoft.com" followed by a query path that looks very much like it could be a legitimate Microsoft Office update path. 

As usual, there are a couple of grammatical errors that are your basic tipoff that this message is not from Microsoft.  Couple that with the fact that Microsoft does not generally blast out update notifications in this manner and you have two tell-tale signs that this email is the work of cyber criminals, not an official update notification.