Fake voicemail notifications are after Office365, Outlook credentials

A phishing campaign using fake voicemail notifications has been and is still targeting various US-based organizations, in an attempt to grab employees’ Office365 and Outlook login credentials, Zscaler warns.

fake voicemail Office365

The campaing seems to be a repeat of a previous, similar one, and targets security solution providers, software security developers, supply-chain organizations in manufacturing and shipping, healthcare and pharmaceutical firms, and the US military. Zscaler was one among the targeted organizations, which allowed them to analyze the campaign in full.

How the attack unfolds

The whole thing couldn’t be simpler: the target receives a fake notification via email, saying that they have a new voicemail and that they can listen to it by opening the enclosed HTML attachment.

To make the notification more believable, the attackers make sure that the email’s ‘From” field specifically mentions the targeted organization’s name.

The attached HTML file contains encoded JavaScript that ultimately directs the target to an attacker-controlled site, the URL of which is specifically crafted for the targeted individual and the targeted organization.

First they encounter a CAPTCHA check, which serves to evade anti-phishing tools, and then they land on a Microsoft-themed phishing page parked on a page/domain that has no relation to Microsoft but otherwise looks believable:

fake voicemail Office365

“The goal of the threat actor is to steal credentials of Office365 and Outlook accounts, both of which are widely used in large enterprises,” Zscaler researchers say.

Voicemail-themed phishing campaign are still going strong, they note, because they are effective. Users should not open attachments in emails sent from untrusted or unknown sources and should verify the URL in the address bar of the browser before entering any credentials, they advise.

The company has shared a list of attacker-registered domains enterprise defenders can block access to.

Don't miss