Voicemail phishing emails steal Microsoft credentials

As always, check that O365 login page is actually O365

Someone is trying to steal people's Microsoft 365 and Outlook credentials by sending them phishing emails disguised as voicemail notifications.

This email campaign was detected in May and is ongoing, according to researchers at Zscaler's ThreatLabz, and is similar to phishing messages sent a couple of years ago.

This latest wave is aimed at US entities in a broad array of sectors, including software security, security solution providers, the military, healthcare and pharmaceuticals, and the manufacturing and shipping supply chain, the researchers wrote this month.

Zscaler has a front-row seat in this campaign; it was one of the targeted organizations.

"Voicemail-themed phishing campaigns continue to be a successful social engineering technique for attackers since they are able to lure the victims to open the email attachments," the biz's Sudeep Singh and Rohit Hegde wrote. "This combined with the usage of evasion tactics to bypass automated URL analysis solutions helps the threat actor achieve better success in stealing the users' credentials."

The attack starts with an email that tells the targeted user they have a voicemail waiting for them that is contained in an attachment. If the user opens the attachment, they are redirected to a credential-phishing site: a page masquerading as a legit Microsoft sign-in page. The mark is supposed to login to complete the download of the voicemail recording, but in fact will end up handing over their username and password to criminals.

The "from" field of the email is crafted to include the name of the recipient's company so that it looks at least a little convincing at first glance. JavaScript code in the HTML attachment runs when opened, and takes the user to a page with a URL that has a consistent format: it includes the name of the targeted entity and a domain hijacked or used by the attacker.

As an example, when a Zscaler employee was targeted, the page URL used the format zscaler.zscaler.briccorp[.]com/<the mark's email address in base64>, according to the researchers.

"It is important to note that if the URL does not contain the base64-encoded email at the end, it instead redirects the user to the Wikipedia page of MS Office or to office.com," the pair wrote.

This first-stage URL redirects the browser to a second-stage page where the mark needs to answer a CAPTCHA before they are directed to the actual credential-phishing page. The pages use Google's reCAPTCHA technique, as did the previous voicemail-themed attacks two years ago, which the ThreatLabz team also analyzed.

Using CAPTCHA enables the crooks to evade automated URL scanning tools, the researchers wrote. Once past that stage, marks are then sent to the final credential-phishing site, where they see what looks like a regular Microsoft sign-in page asking for one's credentials. If a victim falls for the scam, they are told their account doesn't exist.

The credential-stealing fraudsters are using email servers in Japan to launch the attacks, according to ThreatLabz.

The use of phishing continues to grow and spiked during the height of the COVID-19 pandemic in 2020 and 2021 as most companies shifted rapidly to a mostly remote-work model, with many employees working from their homes. According to the FBI, incidents of phishing and related crimes – such as vishing (video phishing) and smishing (using texts) – in the United States jumped from more than 241,342 in 2020 to at least 323,972 last year [PDF].

One reason phishing is so popular is that, despite the amount of experience individuals now have with computers and the ongoing training companies run to increase security awareness among employees, humans continue to be the weak link in cybersecurity. According to Egress's Insider Data Breach Survey 2021, 84 percent of organizations surveyed said a mistake has caused at least one of their computer security incidents.

The ThreatLabz duo cautioned users not to open email attachments sent from untrusted or unknown sources and to verify the URL in the address bar before entering credentials. ®

Other stories you might like

  • Zscaler bulks up AI, cloud, IoT in its zero-trust systems
    Focus emerges on workload security during its Zenith 2022 shindig

    Zscaler is growing the machine-learning capabilities of its zero-trust platform and expanding it into the public cloud and network edge, CEO Jay Chaudhry told devotees at a conference in Las Vegas today.

    Along with the AI advancements, Zscaler at its Zenith 2022 show in Sin City also announced greater integration of its technologies with Amazon Web Services, and a security management offering designed to enable infosec teams and developers to better detect risks in cloud-native applications.

    In addition, the biz also is putting a focus on the Internet of Things (IoT) and operational technology (OT) control systems as it addresses the security side of the network edge. Zscaler, for those not aware, makes products that securely connect devices, networks, and backend systems together, and provides the monitoring, controls, and cloud services an organization might need to manage all that.

    Continue reading
  • Carnival Cruises torpedoed by US states, agrees to pay $6m after wave of cyberattacks
    Now those are some phishing boats

    Carnival Cruise Lines will cough up more than $6 million to end two separate lawsuits filed by 46 states in the US after sensitive, personal information on customers and employees was accessed in a string of cyberattacks.

    A couple of years ago, as the coronavirus pandemic was taking hold, the Miami-based biz revealed intruders had not only encrypted some of its data but also downloaded a collection of names and addresses; Social Security info, driver's license, and passport numbers; and health and payment information of thousands of people in almost every American state.

    It all started to go wrong more than a year prior, as the cruise line became aware of suspicious activity in May 2019. This apparently wasn't disclosed until 10 months later, in March 2020.

    Continue reading
  • Google said to be taking steps to keep political campaign emails out of Gmail spam bin
    Just after Big Tech comes under fire for left and right-leaning message filters

    Google has reportedly asked the US Federal Election Commission for its blessing to exempt political campaign solicitations from spam filtering.

    The elections watchdog declined to confirm receiving the supposed Google filing, obtained by Axios, though a spokesperson said the FEC can be expected to publish an advisory opinion upon review if Google made such a submission.

    Google did not immediately respond to a request for comment. If the web giant's alleged plan gets approved, political campaign emails that aren't deemed malicious or illegal will arrive in Gmail users' inboxes with a notice asking recipients to approve continued delivery.

    Continue reading

Biting the hand that feeds IT © 1998–2022