Microsoft 365 credentials targeted in new fake voicemail campaign

Microsoft 365 Credentials Targeting New Fake Voicemail Campaign

Microsoft 365 Credentials Targeting New Fake Voicemail Campaign

A new phishing campaign targets US organizations in the military, security software, manufacturing supply chain, healthcare and pharmaceutical industries to steal Microsoft Office 365 and Outlook credentials.

The operation is underway and the threat actor behind it is using fake voicemail messages to trick victims into opening a malicious HTML attachment.

Campaign overview

According to researchers at cloud security firm ZScaler, the recently discovered campaign shares tactics, techniques and procedures (TTPs) with another operation analyzed in mid-2020.

The threat actors use email services in Japan to route their messages and spoof the sender’s address, making the emails appear to come from an address of the targeted organization.

Email headers
Email headers (Zscaler)

The email has an HTML attachment that uses a musical note sign in the naming convention to make it look like the file is a sound clip. In reality, the file contains obfuscated JavaScript code that takes the victim to a phishing site.

Message used in the phishing campaign
Message used in the phishing campaign (Zscaler)

The URL format follows an assembly system that considers the target organization’s domain to make it appear as if the site is a legitimate subdomain.

Phishing Naming Scheme
Phishing Naming Scheme (Zscaler)

The redirection process first leads the victim to a CAPTCHA check, which is designed to bypass antiphishing tools and increase the illusion of legitimacy for the victims.

Typical CAPTCHA step on phishing site
Typical CAPTCHA step on phishing site (Zscaler)

The CAPTCHA check was also used in a campaign of 2020 that ZScaler’s ThreatLabZ researchers have analyzed and it remains an effective intermediate step that helps increase phishing success rates.

Once the users go through this step, they are redirected to a real-looking phishing page that steals Microsoft Office 365 accounts.

The ultimate destination of the redirects is a phishing page
The ultimate destination of the redirects is a phishing page (Zscaler)

Those who are careful enough would note that the domain of the login page does not belong to Microsoft or their organization and is one of the following:

  • briccorp[.]com
  • bajafulfillrnt[.]com
  • bpirninerals[.]com
  • lovitafood-two[.]com
  • Dorrngroup[.]com
  • lacotechs[.]com
  • brenthavenhg[.]com
  • spafetech[.]com
  • mordematx[.]com
  • antarnex[.]com

This is why before submitting, or even before start typing their username and password, users should always check and confirm that they are on a real login portal and not a fake one.

Usually recipients are logged into the account, which should make a suspicious request to log in again to listen to the voicemail.

Voicemail themed phishing using HTML attachments is used since at least 2019but it is still effective, especially on careless workers.

Leave a Comment

Your email address will not be published.