From: Microsoft Office [firstname.lastname@example.org]The email originates from 126.96.36.199 [mail.andrustrucking.com] which is a trucking company called Doug Andrus Distributing.. so perhaps Microsoft are farming out the updates to a random Idaho company. Or perhaps they have had their email system compromised (maybe by someone using the same phishing technique).
Date: 17 October 2013 02:54
Subject: Microsoft Windows Update
Evaluation period has expired. For information on how to upgrade your windows software please Upgrade Here.
Copyright © 2013 Microsoft Inc. All rights reserved.
Anyway, the link in the email goes to a legitimate but hacked site and then lands on a phishing page hosted on [donotclick]www.cycook.com/zboard//microsoft-update/index.php.htm. Despite the email saying "Windows Update", the landing page has had Office branding crudely pasted into it.
Entering your credentials simply takes you to a genuine Microsoft page: