Microsoft Outlook users are vulnerable to a new phishing attack that sends out spoofed messages that look like they are from Microsoft. In the attack, users are told that they have a new message, but they need to reconfigure Outlook before it can be accessed. The victim is given a link that asks users to enter user names, passwords, and information on the mail server. The attacker would then be able to read the victim’s email, and potentially gain sensitive financial information. In addition, the phisher gains full access to and control over the email account, and can use it to send out spam messages.

If you’re not paying attention, it looks like it could be from an email administrator, and the disguised link that is included in the email appears to be a link to a Microsoft web site. Of course, it is not, and most users would know better–but it’s casting a very wide net and is likely to catch more than a few victims by the time it’s done.

The phishing attack is quite ingenious. It’s easy enough to bluff somebody out of their user name and password, or even to steal it. But full control of the account can be had if the attacker also gets the mail server information.