Like most phishing scams, this one starts with an email. According to advice from Microsoft, this email will look fairly professional, and will ask the user to click a link. At this point, more experienced users might be apprehensive and check the link for any signs of phishing. However, these links are well-crafted, and may fool even the most diligent eye.
Upon clicking this link, the user will be lead to a page that, again, will look very professional, even asking for a reCAPTCHA verification. This page will then ask for the user’s password.
“If the user enters their password, the page refreshes and displays an error message stating that the page timed out or the password was incorrect and that they must enter their password again.”
“Once the user enters their password a second time, the page directs to a legitimate Sophos website that claims the email message has been released. This adds another layer of false legitimacy to the phishing campaign.” – Microsoft Blog
While it’s a quick process, it’s all the scammers need in order to fool some people into giving away their login credentials. And with the believability of these emails, it’s likely that a lot of people are falling victim to it.