Voicemail phishing emails steal Microsoft credentials • The Register


Someone is trying to steal users’ Microsoft 365 and Outlook credentials by sending them phishing emails disguised as voicemail notifications.

This email campaign was detected in May and is ongoing, according to Zscaler’s ThreatLabz researchers, and is similar to phishing messages sent a few years ago.

This latest wave is aimed at US entities across a wide range of industries, including software security, security solution providers, military, healthcare and pharmaceuticals, and manufacturing supply chain. and shipping, the researchers wrote this month.

Zscaler is at the forefront of this campaign; it was one of the targeted organizations.

“Voicemail-themed phishing campaigns continue to be an effective social engineering technique for attackers, as they are capable of tricking victims into opening attachments,” Sudeep Singh and Rohit Hegde wrote. . “This, combined with the use of evasion tactics to circumvent automated URL scanning solutions, helps the threat actor be more successful in stealing user credentials.”

The attack begins with an email that tells the targeted user that they have a voicemail message waiting for them, which is contained in an attachment. If the user opens the attachment, they are redirected to a credential phishing site: a page posing as a legitimate Microsoft sign-in page. The brand is supposed to log in to finish uploading the voicemail recording, but will actually end up handing over their username and password to criminals.

The “from” field of the email is designed to include the recipient’s company name so that it looks at least a little convincing at first glance. The HTML attachment’s JavaScript code runs on opening and directs the user to a page with a consistently formatted URL: it includes the name of the targeted entity and a domain hacked or used by the attacker.

For example, when a Zscaler employee was targeted, the page URL used the format zscaler.zscaler.briccorp[.]com/according to the researchers.

“It is important to note that if the URL does not contain the base64-encoded email at the end, it instead redirects the user to the MS Office Wikipedia page or to office.com,” the couple wrote. .

This first-stage URL redirects the browser to a second-stage page where the brand must answer a CAPTCHA before being directed to the actual credential phishing page. The pages use Google’s reCAPTCHA technique, much like previous voicemail-themed attacks two years ago, which the ThreatLabz team also analyzed.

Using CAPTCHA allows scammers to evade automated URL analysis tools, the researchers wrote. After this step, brands are then sent to the final credential phishing site, where they see what looks like a standard Microsoft login page asking for their credentials. If a victim falls for the scam, they are told that their account does not exist.

Credential-stealing fraudsters are using mail servers in Japan to launch the attacks, according to ThreatLabz.

The use of phishing continues to grow and increase during the height of the COVID-19 pandemic in 2020 and 2021, as most companies have rapidly shifted to a predominantly remote working model, with many employees working from their home. According to the FBI, incidents of phishing and related crimes – such as vishing (video phishing) and smishing (using texts) – in the United States have increased from more than 241,342 in 2020 to at least 323,972 Last year. [PDF].

One of the reasons phishing is so popular is that, despite the amount of experience individuals now have with computers and ongoing company training to educate employees about security, humans are still the link. weak in cybersecurity. According to Egress’ Insider Data Breach Survey 2021, 84% of organizations surveyed said an error caused at least one of their IT security incidents.

The ThreatLabz duo warned users not to open attachments sent by untrusted or unknown sources and to check the URL in the address bar before entering credentials. ®


Comments are closed.