Attackers Fake Microsoft Voicemail Notifications to Phish

Microsoft Office 365 has once again made it into the news, and it is certainly not for the best of the reasons. In a newly discovered phishing campaign, attackers are spamming probable victims through emails that are disguised as Microsoft Office 365 voicemail alerts. Attackers are using Microsoft voicemail notifications to trick users into opening HTML attachments which redirect the victim to attackers’ landing pages by using meta elements. These emails instruct victims to open attachments. This will, in turn, allow them to listen to voice messages, displaying the caller number and voicemail length within the message.

Attackers Are Using Meta Refresh Redirections

Attackers send phishing landing pages employing a known redirection technique to victims. The attachment is opened in the target’s default web browser. The page transfers them to a landing page which is hosted on mototamburi.com compromised WordPress website through a tinyw.in shortened URL and by using meta element embedded at the end of HTML attachment in order to start the redirection process.

These malicious attachments use ​meta refresh​ in order to redirect the end-user from an HTML attachment that is hosted locally, to a phishing page on the public internet. Since attackers use refresh tags for obfuscating the URL, the built-in link parsers of Office 365 do not detect the threat.

How Do Attackers Phish Victims?

Attackers have designed a spoofed Voicemail management system page that pops up a “Voicemail user authentication” login form. This form asks targets to enter their Microsoft account’s email address and password which are collected and sent to an attacker-controlled server.

The IP address for the server is used to store stolen Microsoft Office 365 user credentials that are hardcoded within the phishing landing page. This adds as another layer of sophistication to malicious HTML attachments with the tag, which obfuscates the URL to evade link analysis and redirects to a compromised domain on the public internet.

Voicemails Are Being Leveraged by Scammers

In late January, another phishing campaign was observed where attackers leveraged RingCentral voicemail message alerts to trick potential victims into handing out their credentials to attackers.

The phishing emails use EML attachments that will open up within the targets’ Outlook client which makes it even easier for attackers to pressure victims into clicking on the embedded links. Scammers are asking victims to enter their credentials twice in order to make sure that the username, as well as the passwords combos, are correct.

How to Safeguard Yourself Against Phishing?

1. Get in touch with the sender prior to opening or clicking on the mail in case you receive emails that contain links or attachments.
2. Thoroughly double-check the URL in the web browser’s address bar in case of finding anything that is suspicious in nature.
3. Enforce per-user outbound rate limits for detecting compromised webmail email account abuse. This will ensure the slow down in the outbound spam rate and identify or stop the email abuse completely.
4. In case you open a link, close the web browser and do not continue.
5. If a user falls for a phishing scam and got their credentials hacked. He should immediately change the passwords of any accounts that might have been stolen.
6. With cyber security attack simulators and awareness training TSAT, employees can learn about different types of cyber attacks and prevent themselves from such cyber threats.

Cyber security companies like Kratikal ensure that your organization is secure against real-life cyber threats that might pose risk to the organization’s cyber infrastructure. It is important to adopt security practices such as periodic VAPT, cyber security policies, employee awareness programs, etc. These measures will further ensure the safety of the triad of people-process technology.