Ongoing e-mail Scam targeting Office 365 Customers
Please be informed that there is an online email scam going on,
targeting Office 365 customers.
The scam starts with the following kind of email:
(Note: We have removed personal information from this screenshot)
The link in this email will redirect you to a “Fake” Office 365 Login.
When users enter their username and password, it will be sent directly to the hackers, and they will use the information to access your Office 365 account.
Please share this information with all your colleagues, to prevent any leak of sensitive information.
How to Identify if a OneDrive link is safe?
Obviously this is NOT an Office 365 or Microsoft website.
If you are not sure about the origin of an email, always contact the sender first before opening the file.
Be aware of e-mail scams
In the past week we helped a new customer to implement Office 365.
This particular customer (whom out of privacy reasons we do not name) is a mid-sized company in Hong Kong with approximately 80 employees. They had been evaluating Office 365 over the past few weeks, and finally had decided to implement the Business Premium edition, that includes not only the Exchange email services, but also the full Office suite, OneDrive and SharePoint.
After a successful kickoff meeting and training session we started the implementation, where the first step is the registration of the Office 365 license. During the registration, you need to enter the company name, address, contact person, but most important, you need to choose a User ID which will be used within Office 365. The user ID consists of a username and an domain which ends with “onmicrosoft.com”.
When we entered the customers company name, the following error message popped up:
(To respect the privacy of our customer we have made up a name in the screenshot)
Our customer immediately started to panic:
“Is this a problem?”
“How can someone else use our company name?”
“What can we do to take it back?”
“What if we can’t take it back?”
In order to identify whether this used name is indeed a serious issue, you have to consider the following
While Microsoft writes the following information in their Office 365 FAQ:
Why do I have an “onmicrosoft.com” domain?
Office 365 creates a domain for you, like contoso.onmicrosoft.com, when you sign up with the service. The user ID that you create when you sign up includes the domain, like email@example.com.
- You can’t rename the onmicrosoft domain after sign-up. For example, if the initial domain you chose was fourthcoffee.onmicrosoft.com, you can’t change it to be fabrikam.onmicrosoft.com. To use a different onmicrosoft.com domain, you’d have to start a new subscription with Office 365.
- You can’t rename your team site URL. Your team site URL is based on your onmicrosoft.com domain name, and because of the way SharePoint Online architecture works, unfortunately you can’t rename the team site.
- You can’t remove your onmicrosoft domain. Office 365 needs to keep it around because it’s used behind the scenes for your subscription. But you don’t have to use the domain yourself after you’ve added a custom domain.
Is this a problem?
Looking at the information above, it may seem at first sight, that the domain name is not that important, since you can link Office365 with your own company domain name later, and have all users log on with their firstname.lastname@example.org.
However, the second point that Microsoft mentions is worth thinking about: You can’t rename your team site URL.
If you are planning to use SharePoint, then the sharepoint URL will be linked to your account name, in this case [companyname].sharepoint.com. Therefore your company account name IS important, if you want to have a uniform naming standard for your employees.
So if you are going to use SharePoint, then yes, this can be an issue.
How can someone else use our company name?
In the past we have identified different cases. It may be a company from another country that has the same name as yours, and (unfortunately for you) they were quicker in their switch to Office 365, resulting in the fact that they now own your desired account name.
The possible cause is that one of the IT employees in the company has created a test account previously, and (most probably) forgot about it. In case he or she is still working for this company, it is possible to retrieve the account password and continue the setup of Office with the “old” account.
What can we do to take it back
If the employee already has left the company, it may be a complicated matter to find out how to retrieve the password, as you may not have access to previous records. Contacting Microsoft is an option in this case, but they will verify if the person registered has used the same company name (and company email address) that you are using. If these are not the same, you may find yourself in a difficult case proving that the account ID belongs to you.
What if we can’t take it back?
If you are unable to prove the ownership of the other account, then you have only one option left and that is to use another account name, which may be similar to your original name. Some companies choose to add Ltd, or the country name to it. The fact is, everything is possible, as long as the account is not in use.
With the growth rate that Office 365 is expanding right now, the chance will increase that your desired username will be registered by someone else. Therefore we urge companies that are considering to implement Office 365 sooner or later, to just start with the registration with one or two accounts. At least by doing this, you can make sure your desired company ID and SharePoint name will be yours.
AccessOrange helps businesses optimize their operations by utilizing smart technology and cloud solutions.
• Productivity Solutions
• Collaboration Tools
• Data Science & Business Intelligence
• Cloud Adoption