CSO

Voicemail phishing emails steal Microsoft credentials

As always, check that O365 login page is actually O365


Someone is trying to steal people's Microsoft 365 and Outlook credentials by sending them phishing emails disguised as voicemail notifications.

This email campaign was detected in May and is ongoing, according to researchers at Zscaler's ThreatLabz, and is similar to phishing messages sent a couple of years ago.

This latest wave is aimed at US entities in a broad array of sectors, including software security, security solution providers, the military, healthcare and pharmaceuticals, and the manufacturing and shipping supply chain, the researchers wrote this month.

Zscaler has a front-row seat in this campaign; it was one of the targeted organizations.

"Voicemail-themed phishing campaigns continue to be a successful social engineering technique for attackers since they are able to lure the victims to open the email attachments," the biz's Sudeep Singh and Rohit Hegde wrote. "This combined with the usage of evasion tactics to bypass automated URL analysis solutions helps the threat actor achieve better success in stealing the users' credentials."

The attack starts with an email that tells the targeted user they have a voicemail waiting for them that is contained in an attachment. If the user opens the attachment, they are redirected to a credential-phishing site: a page masquerading as a legit Microsoft sign-in page. The mark is supposed to login to complete the download of the voicemail recording, but in fact will end up handing over their username and password to criminals.

The "from" field of the email is crafted to include the name of the recipient's company so that it looks at least a little convincing at first glance. JavaScript code in the HTML attachment runs when opened, and takes the user to a page with a URL that has a consistent format: it includes the name of the targeted entity and a domain hijacked or used by the attacker.

As an example, when a Zscaler employee was targeted, the page URL used the format zscaler.zscaler.briccorp[.]com/<the mark's email address in base64>, according to the researchers.

"It is important to note that if the URL does not contain the base64-encoded email at the end, it instead redirects the user to the Wikipedia page of MS Office or to office.com," the pair wrote.

This first-stage URL redirects the browser to a second-stage page where the mark needs to answer a CAPTCHA before they are directed to the actual credential-phishing page. The pages use Google's reCAPTCHA technique, as did the previous voicemail-themed attacks two years ago, which the ThreatLabz team also analyzed.

Using CAPTCHA enables the crooks to evade automated URL scanning tools, the researchers wrote. Once past that stage, marks are then sent to the final credential-phishing site, where they see what looks like a regular Microsoft sign-in page asking for one's credentials. If a victim falls for the scam, they are told their account doesn't exist.

The credential-stealing fraudsters are using email servers in Japan to launch the attacks, according to ThreatLabz.

The use of phishing continues to grow and spiked during the height of the COVID-19 pandemic in 2020 and 2021 as most companies shifted rapidly to a mostly remote-work model, with many employees working from their homes. According to the FBI, incidents of phishing and related crimes – such as vishing (video phishing) and smishing (using texts) – in the United States jumped from more than 241,342 in 2020 to at least 323,972 last year [PDF].

One reason phishing is so popular is that, despite the amount of experience individuals now have with computers and the ongoing training companies run to increase security awareness among employees, humans continue to be the weak link in cybersecurity. According to Egress's Insider Data Breach Survey 2021, 84 percent of organizations surveyed said a mistake has caused at least one of their computer security incidents.

The ThreatLabz duo cautioned users not to open email attachments sent from untrusted or unknown sources and to verify the URL in the address bar before entering credentials. ®


Other stories you might like

Biting the hand that feeds IT © 1998–2022