Lucky You, Microsoft has Sent You an Email! (Think Again). - Fake Microsoft security notification emails (Page 3 of 6 ) Microsoft gives its users the ability to subscribe to security email notifications regarding security software updates or security incidents. Unfortunately, many of us receive faked emails claiming to be from Microsoft. What do you do in this situation? Surely you don’t panic! There are several indications that will help you identify a bogus email. - Legitimate emails from Microsoft contain no attachments. Microsoft’s approach is to never send software updates or provide a link to the update. Instead, the email references Microsoft’s website for obtaining further information.
- Web site posting precedes email notification. Keep in mind that Microsoft never sends information about updates or incidents before posting it on the website. So, if you are not sure about the content of the email, you'd better check the website to find new announcements.
- Legitimate emails include valid URLs. If you suspect that you received a bogus email, don’t use any of the Web links included in the message, as they may be spoofed. It’s better to go directly to Microsoft’s website and navigate to the information you want.
In addition, to be sure that, when you visit Microsoft’s website it is actually the intended website, it’s best to reference the website over https:// instead of http://. When accessing Microsoft’s website over https:// you can verify that it’s the legitimate website by checking its certificate. Look for the ‘Issued to’ field and verify that the name provided on the certificate is the same as the URL you visited. You can access the certificate by double-clicking the lock icon located on the status bar at the bottom right of the browser.
Figure: Microsoft’s website digital certificate
- Legitimate emails are digitally signed using the Microsoft Security Response Center’s digital signature. The Microsoft Security Response Center uses its digital signature to sign all the email notifications send to subscribers. You can verify the legitimacy of the signature using the key published at http://www.microsoft.com/technet/security/bulletin/pgp.mspx.
In addition, Microsoft digitally signs software updates; so it’s wise to verify the signature of any executable before installing it on your system. Released software updates can be obtained from Microsoft Windows Update, Microsoft Office Update, or Microsoft Download Center. Bear in mind that when using, for example, Windows Update, the verification of the digital signature is made internally by Windows.
This task will be analyzed in detail in part II of this article, as I believe that digitally signing documents, code, and so on helps to prevent security incidents from happening when we actually know HOW to use and verify digital signatures. Otherwise, it’s a weapon we have and don’t know how to use it; probably it will explode in our own hands!
- You are not signed up for notifications by Microsoft. You have not subscribed to any security notifications and yet you receive emails from Microsoft? Lucky you… Or not? Probably it’s a fake email and you should be extremely careful with what you do with this message. The best approach is to delete it and then consult Microsoft’s website for possible software releases or security incident notifications.
Next: Verifying the integrity of system and driver files >>
More Windows Security Articles More By Eliana Stavrou |