Voicemail phishing emails steal Microsoft credentials • The Register
Someone is trying to steal users’ Microsoft 365 and Outlook credentials by sending them phishing emails disguised as voicemail notifications.
These emails were detected in May and are ongoing, according to Zscaler’s ThreatLabz researchers, and are similar to a phishing campaign launched a few years ago.
This latest wave is aimed at US entities across a wide range of industries, including software security, security solution providers, military, healthcare and pharmaceuticals, and manufacturing supply chain. and expedition, researchers wrote this month.
Zscaler is at the forefront of this campaign; it was one of the targeted organizations.
“Voicemail-themed phishing campaigns continue to be an effective social engineering technique for attackers, as they are capable of tricking victims into opening attachments,” Sudeep Singh and Rohit Hegde wrote. . “This, combined with the use of evasion tactics to circumvent automated URL scanning solutions, helps the threat actor be more successful in stealing user credentials.”
The attack begins with an email that tells the targeted user that they have a voicemail message waiting for them, which is contained in an attachment. If the user opens the attachment, they are redirected to a credential phishing site: a page posing as a legitimate Microsoft sign-in page. The brand is supposed to log in to finish uploading the voicemail recording, but will actually end up handing over their username and password to criminals.
For example, when a Zscaler employee was targeted, the page URL used the format zscaler.zscaler.briccorp[.]com/
“It is important to note that if the URL does not contain the base64-encoded email at the end, it instead redirects the user to the MS Office Wikipedia page or to office.com,” the couple wrote. .
This first-stage URL redirects the browser to a second-stage page where the brand must answer a CAPTCHA before being directed to the actual credential phishing page. The pages use Google’s reCAPTCHA technique, much like previous voicemail-themed attacks two years ago, which the ThreatLabz team also to analyse.
Using CAPTCHA allows scammers to evade automated URL analysis tools, the researchers wrote. After this step, brands are then sent to the final credential phishing site, where they see what looks like a standard Microsoft login page asking for their credentials. If a victim falls for the scam, they are told that their account does not exist.
Credential-stealing fraudsters are using mail servers in Japan to launch the attacks, according to ThreatLabz.
The use of phishing continues to grow and increase during the height of the COVID-19 pandemic in 2020 and 2021, as most companies have rapidly shifted to a predominantly remote working model, with many employees working from their home. According to the FBI, incidents of phishing and related crimes – such as vishing (video phishing) and smishing (using texts) – in the United States have increased from 241,342 in 2020 to 323,972 last year [PDF].
One of the reasons phishing is so popular is that, despite the amount of experience individuals now have with computers and ongoing company training to educate employees about security, humans are still the link. weak in cybersecurity. According to Egress’s 2021 Insider Data Breach Survey, 84 percent of organizations surveyed said an error caused at least one of their IT security incidents.
The ThreatLabz duo warned users not to open attachments sent by untrusted or unknown sources and to check the URL in the address bar before entering credentials. ®