Microsoft phishing scam exploits the passing of Queen Elizabeth II

Updated on: 17 September 2022

Justinas Vainilavičius
Senior Journalist

A phishing campaign using the name of Queen Elizabeth II was identified a day after British authorities warned this would happen.

The credential phishing campaign exploits the queen's death to bait victims into giving away their Microsoft account information, including multi-factor authentication (MFA) codes.

It employs a relatively new phishing-as-a-service toolkit known as EvilProxy, according to Proofpoint, a cybersecurity firm that spotted the campaign. The kit is available for sale on the dark web and underground forums and is advertised as an easy way for threat actors to bypass MFA.

"Messages purported to be from Microsoft and invited recipients to an 'artificial technology hub' in the queen's honor," Proofpoint said on Twitter, where it also shared a screenshot of the phishing email.

It shows recipients being asked to join "an interactive AI memory board" and unite in "heavy loss" with "famous people, people close to the queen" by writing a memo dedicated to her. Upon clicking the link embedded in the message, the victim is instead redirected to a landing page asking for their Microsoft credentials.

queen_mail — Example of phishing email. Image by Proofpoint.

"Messages contained links to a URL redirecting credential harvesting page targeting Microsoft email credentials including MFA collection," Proofpoint noted.

The phishing campaign was spotted a day after the UK's National Cyber Security Centre (NCSC) warned there might be an increase in phishing emails and other scams related to the queen during national mourning.

"Cyber criminals often play on your emotions to get you to click, and may also refer to high profile current events," the agency said. It urged people to be "aware" of scams and be attentive to emails, text messages, and other communications related to the death of Queen Elizabeth II and arrangements for her funeral.