Office365 scamming redirect
Virus | 08/06/2018

How to get rid of Office365 Phishing Scam?

About: Office365 Phishing scam aims to steal your Office365 account credentials. The Phishing redirect alters user browser settings to cause browser redirects to fake Office365 login page. This is a trick to deceive users into entering their email cr...  Read More  

| Virus | How to get rid of Office365 Phishing Scam?

Guide to remove Office365 scamming redirect

Office365 Fake login page is a newly discovered email scam that aims to steal user email account credentials to gain access to their email accounts.

Office365 scamming redirect


Email is an essential service around the globe for both personal and corporate communication. It is the main service that enables users to create an account on other online platforms. Email services are deemed to be a bottleneck from security perspective.

Access to users email accounts can lead to the breach of their identity, embezzlements of funds, and numerous other problems besides that.

Statistics reveal that the average number of identity thefts in America due to unauthorized access to email accounts mounted to 27 million in last five years. In addition to this approximately 30,000 websites become victims of hackers on a daily basis.

Office365 Phishing Analysis

A new form of phishing attack detected displays a prompt of Office365 Fake login page that asks user to enter their Office365 credentials to login. The email service sign in screen also adds ©2017 PROTONMAIL.COM underneath to gain user confidence. If users fall in the trap and enter their credentials, their email accounts become a victim of unauthorized access. This information could in turn be used to breach user security and privacy and expose their identity.

Office365 scamming redirect

The phishing is known to originate from suspicious browser extension, an unwanted program installed on user system.

Users need to be cautious and are recommended to immediately take actions to remove the scam from their system on encountering Office365 pop –up on their browser screen.

Office365 Phishing virus- Threat Behavior

Office 365 scam virus is believed to be distributed via software bundles, spam email attachments and malevolent links.

  1. Once installed, the virus targets Windows Registry Editor to achieve persistence installation and automatically launch the infection on system reboot.
  2. Users are prompted with different sign in screens other than the ones from Office365, to trick users into stealing credentials of other services.Office365 scamming redirect
  3. The virus is known to modify browser settings. Hence, victims may experience modified homepage and new tab page in order to compel users to use suspicious third party search engines to see suspicious advertisements.
  4. The virus is also configured to track:
  • Browsing History
  • Cookies
  • Bookmarks
  • Online clicks
  • Ads clicked on by users
  • User Identifiable data such as username, passwords etc.

Users should not haste and scrutinize the system for malware if encountered with such pop-ups to ensure that the system is protected and saved from any phishing attempts.

Steps taken by Microsoft to detect unauthorized sign- in attempts

In lieu to prevent unauthorized access to your system, Microsoft email services have the provision to detect a sign-in attempt from a new location or a device. User is prompted with an email message or SMS alert if any attempt is made to login to the email form a new location or device. To ensure that the source of email message is legitimate cross verify the sender of the email. A legitimate email message should originate from Microsoft account team at

How is the Office365 “Virus” virus distributed?

  1. The virus may be distributed via a click on suspicious web links. The click on the link displays a notification which states: ‘To view the document select your email provider on the top and login with your email . Such web links may be sent via emails that demand unnecessary urgency and trick users to click on it in pretext of displaying important documents like invoice, receipts, bank documents etc.
  2. Software Bundling: Software bundling is the process in which a malicious program is distributed with other free software, to get an unnoticed entry into your computer system. When a user installs a free application, the malicious programs gains a front door entry with the free application, the user has downloaded. Thus, it is a good idea to keep an eye on the installation screens while installing these free applications.

Threat Summary

Name: Office365 Fake Login Page

Browsers Affected: Internet Explorer, Google Chrome, Microsoft Edge, Firefox

Targeted Operating System: Windows

Category: PUP (Potentially unwanted program), Phishing Redirect

Symptoms: Browser experiences automatic redirects to Office 365 login page that seeks username and password.

How to Remove Office365 scamming redirect from your computer system?

Note: Before we begin, try to remember how the extension got downloaded  on your computer system. Generally, these programs come bundled with free applications that we download off the internet. It is a good practice to locate and uninstall such programs while removing the Browser Hijacker/ Extensions.

Step A: Remove Office365 scamming redirect from Control Panel

Windows XP

  1. Click on the “Start” button on the bottom left corner of your screen. A Start menu will be displayed as shown below. From this menu select the option that reads “Control Panel”.Windows XP start menu image
  2. In the window that will be displayed, click the option “Switch to classic view”.Control panel switch to classic view
  3. This will display all the options/icons available to you. From the displayed icons, click on the icon that reads “Add or Remove Programs”.Windows XP add or remove a program
  4. Select the “Uninstall a program” option from the “Programs” category. A list will populate on the screen displaying all the programs.Uninstall a malicious program
  5. Select the programs related to Office365 scamming redirect and click on the Uninstall button.Windows XP confirmation window

Windows 7/Vista

  1. Right click on the “Start” button located at the lower left corner of the screen. From the Start menu, click on “Control Panel”.Windows 7 start menu
  2. The “Control Panel” Window will be displayed on the screen. Click on “Uninstall a Program” option from the “Programs” category.Uninstall a program from windows 7
  3. The “Programs and Features” window will be displayed on the screen. A list will populate on the screen displaying all the programs.
  4. Scroll though the list of programs and select the programs related to Office365 scamming redirect and then click on the “Uninstall” button.uninstall a program in Windows 7

Windows 8/10

  1. Right click on the “Windows logo” on the lower left side of the computer screen. From the drop down menu, select and click on “Control Panel”.Windows 10 start menu
  2. The “Control Panel” window will be displayed. From this window select “Uninstall a program” option form the “Programs” category.Control panel
  3. A list will populate on the screen displaying all the programs and features option
  4. Select the programs related to Office365 scamming redirect and click on the “Uninstall” button.uninstall a program in windows 8
  5. In the confirmation box, click on the box that reads “OK” to save changes.

STEP B : Remove Office365 scamming redirect from Registry Entries

  1. Type “Regedit” in search box / Run Box, select it and press Enter.
  2. An authorization dialog box will appear, then you just have to click “Yes”. (The dialog box appearance may vary depending on OS used. For Windows 10 the the dialog box looks like the first screenshot and for windows 7 it appears like the second screenshot)
  3. In the registry editor, take the backup of the current registry settings before making any changes in case you want to revert to old settings later. For this, Click on File option in the menu and select Export. Save the entry at a known location.
  4. From the Menu, Click Edit and Select Find.
  5. Enter Office365 scamming redirect and click OK in the search box.
  6. Select and delete suspicious  entries.

STEP C : Reboot your system to Safe Mode with Networking

To restart the system to Safe Mode with Networking,  if already switched ON then follow the below steps:

Windows 7/ Vista/ XP

  1. Click on Windows icon present in the lower left corner of the computer screen.
  2. Select and click  Restart.
  3. When the screen goes blank, Keep tapping  F8  Key until you see the Advanced Boot Options window.
  4. With the help of arrow keys on keyboard, Select Safe Mode with Networking  option from the list and press the Enter Key. The system will then restart to Safe Mode with Networking.

5 Click on the username and enter the password (if any).

Windows 10 / Windows 8

  1. Press and hold the Shift Key and simultaneously click on the windows icon present in the lower left corner of your computer screen.
  2. While the Shift key is still pressed click on the Power button and then click on Restart.
  3. Now select Troubleshoot → Advanced options → Startup Settings.
  4. When the Startup Settings screen appears which is the first screen to appear after restart, select and click on Enable Safe Mode with Networking. The system will then restart to Safe Mode with Networking.
  5. Click on the username and enter the password.

Restore your system files and settings

Method 1 using Control Panel

  1. Click on the ‘Start’ button on the taskbar. This will open the Start menu.
  2. Click on the ‘Control Panel’ button in the Start menu. This will open the control panel window.
  3. In the Control Panel window, click on the ‘View by:’ button on the top right. Select the Large Icon option
  4. In the control Panel window click on the ‘Recovery Icon’. This will open a window that will ask ‘Restore the computer to an earlier point in time’.
  5. Click on the ‘Open system restore’ button. This will open the ‘system restore ’window where you need to click on the Next Button.
  6.  Select the restore point that is prior the infiltration of Office365 scamming redirect. After doing that, click Next.
  7. This will open the ‘Confirm your restore point’ dialog box. Click on Finish button. This will restore your system to a previous restore point before your system was infected by Office365 scamming redirect

Method 2 using Command Prompt

  1. Type cmd in the search box and click on the command prompt to open the Command Prompt window. box and clicking on it.
  2. Once the Command Prompt window shows up, enter cd restore and click Enter.(Ensure that you in the system32 directory of Windows folder in C Drive)
  3. Now type rstrui and press Enter again.
  4. When a new window shows up, click Next and select your restore point that is prior the infiltration of Office365 scamming redirect. After doing that, click Next.
  5. This will open the ‘Confirm your restore point’ dialog box. Click on Finish button. This will restore your system to a previous restore point before your system was infected by Office365 scamming redirect

Method 3 : Directly type 'rstrui' in the search box

  1. Type ‘Rstrui’ in the search box present on the task bar. This will open the System restore dialog box.

Continue to follow steps 4 & 5 of Method 2 to restore the System Files and settings.

Tips to prevent your computer system from getting infected –

  1. Keeping the Operating System Updated- In order to remain protected and avoid such infections, it is recommended to keep your Operating System updated by enabling the automatic update on your system. The systems with outdated or older versions of Operating System become an easy target for the attackers.
  2. Resist clicking on spam emails – One of the major techniques used for malware distribution is forwarding spam emails to the user. The system gets infected as soon as the user clicks on the attachment. These mails appear to be genuine, so be aware and resist falling for these tricks.
  3. Keep an eye on third party installations- It is quite important that you take due care while installing any third party applications for they are major source of such infections. Such malware programs come bundled with the free applications thereby requiring the user to remain cautious.
  4. Regular periodical backup- In order to keep your data and files safe, it is recommended to take regular back up of all your data and files either on an external drive or cloud.
  5. Use Anti-Virus Protection- We strongly recommend the use of antivirus protection/internet security in your PC like Kaspersky Labs Inc and Avira so that it remains safe.
  6. Enable the Ad Blocker/Popup Blocker in your browser- Enabling the popup blocker/ ad blocker in your chosen browser will help you to stay protected from annoying adware.

Hits: 797

Leave a Reply

Your email address will not be published. Required fields are marked *

Did you find the article informative? Yes NO

Get Regular Updates Related to All the Threats

Want to stay informed about the latest threats & malware? Sign up for our newsletter & learn how to get rid of all types of threats from your computer.

Virus Removal Guidelines
Plot No 319, Nandpuri- B Pratap Nagar
Rajasthan 302033
Phone: +91 9799661866