Phishing scammers are coming up with more innovative methods to convince their targets to provide login credentials. Such is the case with a new OneNote Audio Note phishing campaign that is currently underway.

This campaign comes in the form of an email with the subject "New Audio Note Received" and claims that you have received a new audio message from a contact in your address book. In order to listen to the message, though, you will need to click on a link to listen to it.

New Audio Note Phishing Email

Of particular interest is that the phishing scammers are now commonly including footer notes stating the email is safe as it was scanned by a security software. In this case, the email states it was "Scanned by McAfee Ultimate 2019 Antivirus Scanning Service for Microsoft".

When you click on the "Listen to full message here" link, you will be brought to a fake OneNote Online page hosted on Sharepoint.com. This page states that "You have a new audio message" and then prompts you to click on a link to listen to it.

Fake OneNote Online Page

When you click on the link to the listen to the Audio Note, you will be brought to another Sharepoint.com hosted page that is currently disabled, but would have prompted you to login with your Microsoft credentials.

This fake page may have looked similar to below, which is one commonly used by a variety of phishing scams that pretend to be from Microsoft services such as OneNote, Office 365, and Outlook.

Fake Microsoft Account Login Form

As the phishing pages are being hosted on Sharepoint.com, they also come with a legitimate certificate from Microsoft. This helps make it more convincing to the recipients of these emails.

Certificate from Microsoft

For Microsoft accounts and Outlook.com logins, it is important to remember that Microsoft login forms will be on microsoft.com, live.com, microsoftonline.com, and outlook.com domains only. If you are presented with a Microsoft login form from any other URL, it should be avoided.

Thx to Michael Gillespie for the sample.