Just when we think we’ve figured out an attack pattern from the scammers behind these campaigns, they change up tactics and deploy better graphics, malicious attachments and more sophisticated messages. Tap or click here to see if you can pass this phishing practice test. Phishing scams usually try to get you to their malicious payload as quickly as possible, so when security researchers discovered a new type of campaign featuring multiple steps and downloads, they knew they had to dive deeper. As it turns out, this new campaign is just as dangerous as classic phishing schemes — and might even have an easier time making it to your inbox. Here’s why.

Stealing your data with a bunch of extra steps

According to Sophos, a new breed of phishing email has started making the rounds that has a much better chance of evading your spam filter and hitting your inbox. Not only does this scam make use of hacked accounts to attack people, but it also requires the victim to jump through multiple hoops in order to get infected in the first place. What an insult! When the email first arrives, it appears to come from someone you know. In most cases, like the email received by Sophos, this message will appear to come from a manager, coworker or authority figure. This could be another type of BEC, or “business email compromise,” targeting executives in the corporate sector. The message will typically have some kind of file attachment for you to download (red flag #1), and opening it redirects you to a Microsoft Sharepoint page for you to download the file. This link is legitimate, however, and the Microsoft software isn’t compromised at all. This roundabout method simply prevents email defenses from marking the message and attachment as spam. If you download the file (typically a OneNote document or another kind of Microsoft Office file), you’ll suddenly see another link for you to click that says “Review file” (red flag #2). If you hover over this link, however, you’ll quickly realize it doesn’t even take you to a file at all. Instead, you end up on a bizarre-looking Microsoft “login page” with a non-matching web address (red flag #3). As you can guess, logging in here is a bad idea. In fact, doing so gives the scammers your account credentials so they can spread their campaign even further. It may seem like too many steps to arrive at the same conclusion as a quick phishing email, but anything that can help these messages avoid spam filters is a big win for cybercriminals. Tap or click here for a quick rundown on another phishing scheme targeting Microsoft Office users.

What can I do to avoid getting phished by this campaign?

As we’ve said before, opening any email attachment in this day and age is a major risk. Even if you know the contact who sent you the file, it never hurts to dial them up and confirm that they sent it to you. As this new campaign shows, it’s becoming easier for scammers to masquerade as someone you trust. The same level of skepticism should be taken with any link you receive as well. Hover over the link with your mouse (without clicking it) and take note of the website that appears. If it doesn’t appear to be legitimate, disregard the message and delete it. Last, but not least, it’s important to avoid sharing any kind of sensitive logins anywhere but where they belong. This means only logging into Microsoft Office through a Microsoft site or app, or logging into Facebook through Facebook.com. In addition, you can add extra protection to your login by enabling two-factor authentication. Even if a phishing campaign manages to steal your login, they’ll need access to your physical smartphone to complete the login. Plus, you’ll know when they’ve tried to access your account so you can change your password. Tap or click here to see how to enable 2FA for your favorite websites. With phishing campaigns, you’re only as vulnerable as you are naive. If you’re wise to the tricks and skeptical about anything coming into your inbox, you won’t fall victim to one of these scams. Let’s keep it that way.