Instagram Credential Phishing Attacks Bypass Microsoft Email Security

Written by

A credential phishing attack reportedly targeted 22,000 students at national educational institutions with a campaign impersonating Instagram.

The information comes from security experts at Armorblox, who highlighted the new threat in an advisory on November 17, 2022. 

"The subject of this email encouraged victims to open the message," reads the technical write-up. The goal of this subject was to induce a sense of urgency in the victims, making it seem an action needed to be taken in order to prevent future harm."

The email seemed to have come from Instagram support, with the sender's name, Instagram, and email address matching Instagram's real credentials.

"This targeted email attack was socially engineered, containing information specific to the recipient - like his or her Instagram user handle - in order to instill a level of trust that this email was a legitimate email communication from Instagram."

Once users clicked on a link in the email, a fake landing page opened, which included Instagram branding and details around the unusual login attempt detected, alongside a 'This Wasn't Me' button.

Upon clicking on the button, victims were directed to a second fake landing page designed to exfiltrate sensitive user credentials.

"The email attack used language as the main attack vector and bypassed native Microsoft email security controls. It passed both SPF and DMARC email authentication checks," Armorblox explained.

According to Sami Elhini, biometrics specialist at Cerberus Sentinel, verifying the origin of an email is from a valid domain is a good start, but further scrutiny is required concerning which valid domain the email originated.

"In this case, an email from should be viewed as suspicious as Instagram's domain is Where a service provides support, it may be advisable to contact support directly if you are unsure what action to take," Elhini told Infosecurity.

Erich Kron, the security awareness advocate at KnowBe4, echoed Elhini's point, saying that being comfortable with user interfaces and being able to navigate technologies does not mean individuals fully understand the risks.

"In our modern digital world, it is very important to stay educated on how to spot these sorts of social engineering attacks," Kron told Infosecurity.

The Armorblox advisory comes days after a Nigerian Instagram Influencer was sentenced to over 11 years in prison for laundering the proceeds of numerous cybercrimes.

What’s hot on Infosecurity Magazine?