Microsoft: Phishing Attack?


Microsoft recently issued several messages to Windows Live Messenger (MSN) users that could have easily been mistaken for a phishing attack. I know, because I received one. The messages asked users to change their credentials, and to confirm other information, in order to keep using the service. If you didn't, then your E-mail would be discontinued by a certain date.


Microsoft said on its blog that the messages were sent out in error and to continue using your e-mail account. It apologized and would review their processes to make sure that they avoided mistakes like this in the future.


Remember, a phishing attack is a social engineering attack. Social engineering attacks are targeted at people, and people are the weakest link in the security chain.


I have several small clients that use Windows Live Messenger and were affected by this as well. I received E-mails asking what they should do? I instructed them not to do anything because I could not believe that Microsoft would do this on such a large scale for no apparent reason. However, if it was a real phishing attack, I wonder how many people would have fallen for it just because it came (or appeared to come) from Microsoft?


As security professionals, we are constantly being tested. I am lucky that I have users that are very distrustful. That in itself is a challenge, but in this case a good one. Maybe that's the answer. Do we need to "turn into a distrustful society?