Office 365 users targeted with fake voicemail alerts in suspected whaling campaign

Office 365 users at high-profile companies in a wide variety of industries are being targeted with voicemail-themed phishing emails, McAfee researchers have found.

They say that a wide range of employees have been targeted, from middle management to executive level staff, and that these emails could be part of a “whaling” campaign.

The deception

The malicious emails take the form of (fake) Microsoft-branded notifications telling recipients of a missed call.

They contain an attachment: an HTML file that, when loaded, shows potential victims to a page that:

  • Autoplays a file that sounds like a truncated, recorded voice message
  • Tells them to wait while the entire voice message is downloaded from the server
  • Instructs them to log in to access the message.

Office 365 voicemail phishing

The sound file is hosted on and pulled from The phishing pages to which the potential victims are redirected are hosted on various domains (IoCs have been made available by McAfee).

“The email address is prepopulated when the website is loaded; this is another trick to reinforce the victim’s belief that the site is legitimate,” the researchers explained.

When the password is entered, the victim is presented with a “successful login” page and redirected to the legitimate login page.

Harvesting credentials

The malicious emails have been delivered to management and executives of organizations in the service, financial and insurance industry, IT services providers, educational institutions, healthcare organizations, charities, critical infrastructure providers.

Three different phishing kits have been used to generate the malicious websites, the researchers found, and the pages record information about the visitors: their email address, the entered password, their IP address, and the region (location) from which they accessed the page.

“The goal of malicious actors is to harvest as many credentials as possible, to gain access to potentially sensitive information and open the possibility of impersonation of staff, which could be very damaging to the company. The entered credentials could also be used to access other services if the victim uses the same password, and this could leave them open to a wider of range targeted attacks,” they noted.

“What sets this phishing campaign apart from others is the fact that it incorporates audio to create a sense of urgency which, in turn, prompts victims to access the malicious link.”

They advise enterprises to block .html and .htm attachments at the email gateway level and to mandate the use of two-factor authentication (2FA) for important accounts (especially Office 365 and G Suite accounts).

Users are advised not to open attachments in unsolicited emails from unknown senders.

Don't miss