Phishing Campaign Uses Voicemail Notifications Trick Users into Disclosing Credentials

A new phishing campaign has been detected which uses Microsoft Office 365 voicemail notifications as a lure to get users to open a malicious HTML file attached to the email.

The phishing emails are very realistic. The emails include the Microsoft and Office 365 logos, use the Microsoft color scheme, and Microsoft contact information. The messages inform the recipient that they have received a new voicemail message. The caller’s number and length of the voicemail message is included, along with the time and date of the message. In order to access that message, the user is required to open a HTML file attached to the email.

Many phishing campaigns use Word documents or Excel spreadsheets containing malicious macros or embedded hyperlinks that direct users to a phishing web page where credentials are harvested. Through security awareness training employees are told to look out for thee commonly used file types. HTML files are likely to be familiar to employees, but since these file types are not often used in phishing campaigns, employees may believe the attached file to be benign, when that is definitely not the case.

The HTML file uses meta refresh to redirect the user from the local HTML file to a phishing page hosted on the Internet. That phishing page contains a highly realistic spoofed voicemail management page where users are required to enter their Office 365 credentials to access the message. Doing so hands those credentials to the attacker.

Cybercriminals are constantly coming up with new ways to trick employees into clicking links in emails or opening malicious attachments. Keeping the workforce up to date on these threats is important. If employees are aware of the types of scam emails, they are likely to receive they will be more likely to correctly identify an email as malicious if it arrives in their inbox.

Keeping the workforce 100% up to date on the latest scams will not be possible as new scams and lures are constantly being developed. It is therefore important to ensure that you have an advanced spam filtering solution in place that can block these messages to ensure they never test employees.

SpamTitan incorporates DMARC to block email impersonation attacks, dual antivirus engines to identify known malware, and a sandbox where suspicious attachments can be executed safely and studied for malicious actions. In addition, a range of checks are performed to assess the content of messages and embedded hyperlinks for any malicious actions.

With SpamTitan in place, businesses will be able to block more than 99.97% of spam and phishing emails, and 100% of known malware.

If you want to improve protections against phishing attacks and ensure fewer malicious messages reach your Office 365 inboxes, give the TitanHQ team a call to find out more about SpamTitan email security and other measures you can take to improve your security posture and block these sophisticated phishing attacks.