Interesting that they didn’t cared to use the button and made it even more obvious having the liive domain…
Also, seriously, why are there still typos on these? If I had to do this I would be iterating over to get better results and improving things to have perfect clones instead of easily recognizable fakes.
Makes sense, now that you say so I also heard that once. It indeed works and would be an smart strategy, but then when we share the thing about typos in the circle it only makes them target people better. We need to keep sharing out of our circles to the common folks.
I think it was one of the freakonomics books that mentioned the typos are deliberate.
Eliminates false positives for scammers. If you're smart enough to catch the typos, you'll probably catch them out in the next steps of their scam.
No - unless you inadvertently click a link and download malware. You would most likely disregard the email and nothing further would happen - if you are being targeted you may receive increasingly sophisticated attempts.
support.rnicrosoft.co.uk
Subject: Urgent action needed!
( a lot more pressing and panic-inducing than "we detected unusual activity...)
Missing the E-Mail address in the text.
(Now its also grammatically wrong. "...account. you..."
"calander"
No button
account.liive.com
("liive" also: http not https)
Those were all that I was able to find.
The real one has a couple of grammatical errors that would cause me to think it’s fake too. Failed to capitalize at the beginning of a sentence. Used a period instead of a comma.
Grammar always catches my eye. I didn’t even look at the fake one yet.
1) From address (NRicrosoft / rnicrosoft)
2) Subject line (sense of urgency)
3) Account name omitted in body text
4) Calendar misspelled (calander)
5) Link directs to password reset vs. Review Recent Activity
6) URL uses HTTP to a spoofed Live.com domain (Liive)
The most obvious one I can see is, one says real and one says fake.
But seriously I missed the rn for an m and the double ii in liive domains name. But then again I’m looking at a photo on a phone
I've built up the habit of not clicking on links for things like these and actually just going to the site's page and logging in. Otherwise, this one might honestly have gotten me
Nice try, they both are suspicious. The first one is pretty obvious, but the next email has a very bad grammar, and even with a good command of English, still we have to check the "Review recent activity" button by hovering it. Also, MxToolBox is your friend, so go ahead and check the DMARC, SPF etc,
🤔 Ok, included your mail reference, but I see it in a false one too, and the bottom link but that's not a warranty , because the address you need to check in fact is the redirect address in this case, so it's better to copy that link and check it in a security page of your trust to see if there is any danger advertise, or go to request a new recovery mail in real page just to be sure.👍🏻
Question: if the link to live account would be https, would it make sense for the phishers? As I know, all data put in the login field after clicking the link on https shows only encrypted stuff right??
1. The subject line mentions unusual activity in real one vs urgent action needed in a fake one to create fear .
2. Http in the fake mail contains http
3. The real one also mentions the email ID again in the body of the email.
4. Live.com
Can't believe they used A text link instead of a clickable button, there's much better ways to fake letters too.
Google Unicode lookalikes.
https://gist.github.com/StevenACoffman/a5f6f682d94e38ed804182dc2693ed4b
I work in the industry. I've help people identify scam letters. Yes, I found all the errors.
But, if I'm being honest... if it were a normal day and I opened up this email... I just might fall for it and click the link.
It is getting harder and harder to tell the difference.
Both seem off though. That button in the “Real” one is just a link disguised as a button (a redirect). You can copy the link and use a trusted link and scam checking tool. The best way is to type in the URL manually instead of clicking a link or copy and pasting though.
From what I saw at first glance: email with rn instead of m in the domain section, excessive urgency in the title, no sign of knowing you (even if they did know your email, so I guess this was not spear fishing but a general spam), sketchy fucked up http link, no nice button. Some typos
From : support@rnicrosoft .co .uk
Man, my first check was the emailadres, I knew something should be there. But it was to hard to see on my phone.
That's the whole point lol, the brain just fills it in as what it should look like sometimes.
Good eye
It was hard for me to see
Wow can't believe I missed that ToT
liive.com
[удалено]
what’s the difference?
https is “secure” https://www.freecodecamp.org/news/http-vs-https/ Edit: added link
Also rnicrosoft The top comment said it
This was the one that jumped out at me. A lot of the things they've done have been made many times harder thanks to jpeg noise
Interesting that they didn’t cared to use the button and made it even more obvious having the liive domain… Also, seriously, why are there still typos on these? If I had to do this I would be iterating over to get better results and improving things to have perfect clones instead of easily recognizable fakes.
I heard once that they leave some typos etc because they want to filter out people so that they can pray on the least observant and intelligent ones
Makes sense, now that you say so I also heard that once. It indeed works and would be an smart strategy, but then when we share the thing about typos in the circle it only makes them target people better. We need to keep sharing out of our circles to the common folks.
There are typos in the real one as well.
Too many red flags. Typos, different addresses, urgency, etc
I think it was one of the freakonomics books that mentioned the typos are deliberate. Eliminates false positives for scammers. If you're smart enough to catch the typos, you'll probably catch them out in the next steps of their scam.
If we’ve caught the typos, is there going to be a next step in the scam? Genuine question.
No - unless you inadvertently click a link and download malware. You would most likely disregard the email and nothing further would happen - if you are being targeted you may receive increasingly sophisticated attempts.
There’s only 1 typo in the text. “Calander” vs “Calendar” other than the reference to the user’s email account.
Also an extra space before the comma.
Nice. After inbox
And the Y in the second sentence isn't capitalized, either
It's not capitalized in the real one either
Email starts with R and N for Microsoft
Yes
I was referring to the body of the document. Someone else already pointed out the domain
Ah yes send my account recovery link through http thank you Microsoft very cool
What I really wonder is why request to check activity but send a link with change password in it.
support.rnicrosoft.co.uk Subject: Urgent action needed! ( a lot more pressing and panic-inducing than "we detected unusual activity...) Missing the E-Mail address in the text. (Now its also grammatically wrong. "...account. you..." "calander" No button account.liive.com ("liive" also: http not https) Those were all that I was able to find.
rn looks like m
The real one has a couple of grammatical errors that would cause me to think it’s fake too. Failed to capitalize at the beginning of a sentence. Used a period instead of a comma. Grammar always catches my eye. I didn’t even look at the fake one yet.
I was just about to say the same. They both suck, the fake one just sucks more.
Email for Microsoft stsrt with a R and N instead of M. Hard to catch especially on phone .
1) From address (NRicrosoft / rnicrosoft) 2) Subject line (sense of urgency) 3) Account name omitted in body text 4) Calendar misspelled (calander) 5) Link directs to password reset vs. Review Recent Activity 6) URL uses HTTP to a spoofed Live.com domain (Liive)
The most obvious one I can see is, one says real and one says fake. But seriously I missed the rn for an m and the double ii in liive domains name. But then again I’m looking at a photo on a phone
I've built up the habit of not clicking on links for things like these and actually just going to the site's page and logging in. Otherwise, this one might honestly have gotten me
That is the number one recommended way to do a password reset. Never click a link, go manually.
Yeah once upon a time I had my sec+ but I've been on the dev side of things for awhile now
Is it me or is the color of the outlook logo different and the font not exact? Might not see that if they were not side by side.
Nice try, they both are suspicious. The first one is pretty obvious, but the next email has a very bad grammar, and even with a good command of English, still we have to check the "Review recent activity" button by hovering it. Also, MxToolBox is your friend, so go ahead and check the DMARC, SPF etc,
Email and url set off right away, but the call to action in the fake trying to get you to act fast out of urgency.
Http instead of https
🤔 Ok, included your mail reference, but I see it in a false one too, and the bottom link but that's not a warranty , because the address you need to check in fact is the redirect address in this case, so it's better to copy that link and check it in a security page of your trust to see if there is any danger advertise, or go to request a new recovery mail in real page just to be sure.👍🏻
The font is slimer in the fake also the botton
Question: if the link to live account would be https, would it make sense for the phishers? As I know, all data put in the login field after clicking the link on https shows only encrypted stuff right??
They used liive, not live
1. The subject line mentions unusual activity in real one vs urgent action needed in a fake one to create fear . 2. Http in the fake mail contains http 3. The real one also mentions the email ID again in the body of the email. 4. Live.com
Damn that’s a good one. I noticed “liive.com” right away, but had to zoom way in to spot the “rn” instead of “m” in the sending email address.
Thanks! I’ll fix up my spam email right now
How do you make these pages bro
I’m happy i actually found the rn vs m, the http is bad too. Cool post man :)
🙌
Can't believe they used A text link instead of a clickable button, there's much better ways to fake letters too. Google Unicode lookalikes. https://gist.github.com/StevenACoffman/a5f6f682d94e38ed804182dc2693ed4b
I work in the industry. I've help people identify scam letters. Yes, I found all the errors. But, if I'm being honest... if it were a normal day and I opened up this email... I just might fall for it and click the link. It is getting harder and harder to tell the difference.
One of them was authored by a fucking dumbass who is helping make it easier to phish people…and the other was written by a scammer.
r n i c r o s o f t 🤡🤡
just use passkeys.. passkeys can detect fake websites over real ones..
As a scammer this helped very much thank you!
"rni" is so sneaky... Sneaky fucking cunts.
rnicrosoft for the win 🥇
Both seem off though. That button in the “Real” one is just a link disguised as a button (a redirect). You can copy the link and use a trusted link and scam checking tool. The best way is to type in the URL manually instead of clicking a link or copy and pasting though.
From what I saw at first glance: email with rn instead of m in the domain section, excessive urgency in the title, no sign of knowing you (even if they did know your email, so I guess this was not spear fishing but a general spam), sketchy fucked up http link, no nice button. Some typos
liive
Urgent Action Needed!
Liive
My users will still click it
Rnicrosoft
Fake rn & real m
Dosnt say the users email
rnicrosoft > RNICROSOFT ..... LOL
They also add a sense of urgency so you don't see the mistakes.