Ongoing phishing scams have been spotted targeting Microsoft Office 365 with partial audio voicemail messages to convince targets that they need to login to hear the full recording.
While using actual audio recordings in voicemail phishing scams is not new, researchers from McAfee have recently seen an uptick in their usage by various phishing kits targeting MS Office 365 credentials.
“Over the past few weeks McAfee Labs has been observing a new phishing campaign using a fake voicemail message to lure victims into entering their Office 365 email credentials, “McAfee researchers stated. “At first, we believed that only one phishing kit was being used to harvest the user’s credentials. However, during our investigation, we found three different malicious kits and evidence of several high-profile companies being targeted.
These companies pretend to be from Microsoft Office 365 and state that a call was missed and the caller left a voicemail.
- Attached to the email is an HTML, attachment that will automatically play an audio recording that pretends to be a partial voicemail saying hello.
- The fake voicemail is autoplayed through an embedded .wav file in the HTML email.
- After the audio file finishes playing, the HTML attachment will redirect the user to a generic Microsoft landing page that then prompts you to login to hear the full recording.
- As you can imagine, entering your credentials DOES NOT get you a real voicemail.
- Instead you are redirected to office.com and your credentials are now stolen!
Phishing Kits Adopting Audio Messages
When originally researching these campaigns, McAfee expected to find a single phishing kit being used, but it turned out to be three different ones.
“As explained in the introduction, we were surprised to observe three different phishing kits being used to generate the malicious websites,” McAfee stated in their report. “All three look almost identical but were able to differentiate them by looking at the generated HTML code and the parameters which were accepted by the PHP script.”
These phishing kits include two being actively sold on the dark web and through social networks called “Voicemail Scmpage 2019” and “Office 365 Information Hollar”, while the third did not have a name associated with it or any indication of who created it.
Of the three kits, the “Unnamed Kit” was the most prevalent that McAfee observed while researching these campaigns.
While some business verticals were targeted a bit more than others, these campaigns were seen targeting a wide range of business types. Furthermore, McAfee states that the attacks were targeting a wide range of employees, including middle management and executives.
By using audio files, these kits add a measure of realism to the phishing emails that may be just the push needed to trick a recipient into entering their credentials.
This is why it is more important than ever to examine the URLs of any landing pages that contain Microsoft login forms and to remember that legitimate login forms will be on the microsoft.com, live.com, and outlook.com domains.
Even then, a login form on live.com, may still not be legitimate.
No one wants to become a victim of a social engineering attack, so it’s important to recognize an attack in progress and not be tricked into responding to it inappropriately.
Trained and aware employees are critical to securing an organization, and an effective, ongoing internal security awareness program can help reduce your company’s vulnerability, turning the “weakest link” in your cyber defenses into its greatest strength.
One of our most important roles as a technology service provider is to protect the assets of our clients. No matter how big or small your business is, a single compromised credential could put your entire business at risk. Give us a call to further discuss how we can help in protecting your business against cybersecurity threats and how we can make technology work for your business.
Call us now at 732.780.8615 or email us at [email protected]