Just when you thought they couldn’t get any more clever, a new phishing scam forewent the usual credential-hacking tactics in favor of something sneakier: looking a lot like Microsoft’s Office365, a household product most of us know and trust.

Here’s how they did it: unlike the usual phishing method of prompting victims to enter user name and password, an email with “information” on COVID-19 appears in their inbox containing links as bait. Once clicked, the links request special permissions for access to a Office365 doppelganger. Since the user never enters their credentials, they are not on alert and therefore lulled into a false sense of security; but once they grant those permissions, hackers can then attack and manipulate the victim’s actual Office account.

Though more than 60 countries and CEO’s were targeted in this widespread and advanced Phishing campaign, Microsoft urges caution to individual PC users in its wake. As phishing scams become more advanced, using entirely new methods such as these that don’t even need login credentials to hack its victims, we too must become more adamant about using 2-factor authentication, identifying suspicious emails, and backing up data frequently. As a business owner, you may also consider investing in cyber-security education more frequently for your employees.