Simulated Phishing Email of June 2025 – “Dubai End of Academic Year Arrangements” Has Been Shared With You

Author:Author Leo
Published: Posted on

Can you trust this page?
If you look in the address bar (at the top of this page) you will see that this page is on the blog.bham.ac.uk site. This tells you that the page is within the bham.ac.uk internet domain which is owned by the University of Birmingham. If you came to this page to confirm if a test phishing email really was a test, then also check that the image of the email below matches the email you were sent.

What we did
On Monday 2nd June, IT Security sent a simulated phishing email to a number of staff (selected randomly) in Dubai.

The email claimed to be
– From: noreply at micrAsoft-395office.com
– Subject: File “Dubai End of Academic Year Arrangements” has been shared with you
– it pretended to be a link to a SharePoint page containing a file called Dubai End of Academic Year Arrangements.pdf

If you clicked on that link, you were asked for your username and password. Those people who entered any username and password were taken to a page reassuring them this was a benign phishing simulation by IT Security. No passwords were collected or stored!

Why we did this
This is about learning not blaming. We think of this as serving the same purpose as an unannounced fire drill, to make people more aware of the most common ways that criminals steal passwords. Our aim is not to penalise, embarrass or make anyone feel bad if they “fell for the scam”. You are not in any trouble because of this. No-one will be “named and shamed”. Your line manager(s) will not be told.

This simulated phishing email is based on real-life examples of malicious emails intercepted by our automated defences.

An image of the email – with the suspicious parts marked in red

Although this email does not contain many of the “tell-tale” signs, it is suspicious because:

  1. It comes from outside the University, as you would expect if it was from Microsoft SharePoint,
    BUT
    • the Sender email address is micrasoft-395office.com not no-reply@sharepointonline.com for emails from SharePoint.
    • Emails from Microsoft Sharepoint have a warning message with a pale blue background not a yellow background.
  2. Most University messages to all staff would usually have the short message within the email or have a link to a web page with more detailed relevant information. It would be odd for an email directed to many staff to link to a .pdf document on SharePoint.
  3. This email does not have many of the tell-tale signs of spam/phishing we may have relied on in the past. This is because attacks are become more sophisticated:
    • correct spelling, grammar and style do not mean that it is a genuine email. Some scammers can write perfect English – with or without the help of AI tools such as Microsoft CoPilot or ChatGPT.
    • Genuine logos and backgrounds are easily copied from the real sites.
  4. If you reached the sign-in screen, the URL at the top says micrasoft-395office.com which is fake.
    NB: some scammers copy real logos and backgrounds from genuine websites to fool you – so always look carefully at the address bar at the top of a sign-in screen.
  5. It asks for a username and password. Any email which links to a place where you are asked to give your username and password, should be treated with caution – you should pause, think and ask yourself:

Who is the email really from? Whose page are you actually signing into?
Does the sending address and URL at the top of the sign-in screen match the alleged Sender?
In this case, the Sender’s email domain address is 
@micrasoft-395office.com
not
@sharepointonline.com @microsoft.com or office.com or bham.ac.uk or login.microsoft.com
as you might expect if were really from Microsoft or the University of Birmingham.

Where does the link take you?
You can reveal the full address:

  • on a computer, by hovering the mouse pointer over the link (without clicking on it!)
  • on a phone/tablet by a long press holding down on the link.

In this example, Dubai End of Academic Year Arrangements.pdf links to micrasoft-395office.com which is not a Microsoft or University of Birmingham website.


You should always ask yourself the following:

  • was I expecting this email?
  • is the Sender known to me?
  • Is the sign-in screen URL correct?
  • and was I expecting them to send such a message or (in some cases) share a file?

In future: if you receive a suspicious email, please don’t simply ignore or delete it, but use the Report button in the Outlook menu. This trains our automated systems and helps to protect less expert/less alert colleagues from items which slip past our defences. If enough people report an email, all copies will be pulled into Quarantine, pending assessment. Using the Report button is much faster than opening an incident ticket or emailing IT Security.

Further quick training (5-10mins).

Fraudsters are very devious in using addresses which look similar to genuine ones. This page, from CalTech, shows you how to read URLs (web addresses) correctly, to help you to avoid some of the dirty tricks used https://www.imss.caltech.edu/services/security/recommendations/how-to-read-urls

You can test your knowledge by identifying which of 10 emails are legitimate or phishing in this quiz https://www.phishingbox.com/phishing-iq-test/quiz.php

If you work or study at the University of Birmingham and have questions or comments about this phishing campaign, then contact: itsecurity@contacts.bham.ac.uk

 

Leave a Reply

Your email address will not be published. Required fields are marked *