In brief

  • Phishing emails are masquerading as Coinbase to harvest Microsoft 365 account logins.
  • Hackers send fake emails from the crypto exchange to trick users into handing over their login details.
  • As crypto enters the mainstream, hackers are increasingly spoofing known crypto brands to access other services, instead of vice versa.

A new wave of phishing emails is targeting Microsoft 365 accounts by masquerading as major cryptocurrency exchange Coinbase.

According to a report published by BleepingComputer this week, phishing emails are presented as notifications from Coinbase, informing users about the exchange’s "New terms of service" that they allegedly must read and accept. The hackers ask users to authorize a modified consent app—a version of the legitimate Office 365 application that gives third parties access to email accounts.


After clicking “Read and Accept Terms of Service FAQ," users are redirected to the real Microsoft website to log into their account, and then asked to give the malicious consent app—dubbed “”—access to read and write their mail.

While the hackers won’t be able to send new emails on users’ behalf this way, they can still gain access and read previous correspondence as well as edit unsent drafts. Likewise, such an attack could potentially be used to read various messages sent by two-factor authentication services.

Why are hackers impersonating Coinbase?

Speaking to Decrypt, Dave Jevans, CEO of crypto intelligence firm CipherTrace and chairman of Anti-Phishing Working Group (APWG), explained that malicious actors are increasingly masquerading as brands and well-known platforms.

“The use of consumer brands to trick users into giving out Office365 credentials has been on the rise,” Jevans noted. “Brands like Coinbase have tens of millions of users, so widespread spam campaigns can be effective.”

However, he added that Coinbase is not one of the most prevalently used brands for this type of phishing, according to the APWG eCrime phishing feed database. Most likely, hackers are just sending out these emails at random—and not targeting Coinbase users specifically.


“It is doubtful that a compromised list of email addresses from Coinbase is being used to gain access to your email account. Targeted phish would be more oriented at getting your login credentials to access your funds,” Jevans added.

When attackers knowingly target crypto users, they are usually trying to gain direct access to digital assets instead of emails or other accounts, he explained.

Nevertheless, the use of the Coinbase brand by hackers suggests that cryptocurrency-related services are gaining traction among the wider public—a trend that’s only set to continue as mainstream brands like PayPal adopt crypto. Just a few years ago, hackers mostly tried to gain access to crypto accounts by spoofing more mainstream platforms—but not vice versa.

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.