A new phishing campaign targets US organizations in the military, security software, manufacturing supply chain, healthcare and pharmaceutical industries to steal Microsoft Office 365 and Outlook credentials.
The operation is underway and the threat actor behind it is using fake voicemail messages to trick victims into opening a malicious HTML attachment.
According to researchers at cloud security firm ZScaler, the recently discovered campaign shares tactics, techniques and procedures (TTPs) with another operation analyzed in mid-2020.
The threat actors use email services in Japan to route their messages and spoof the sender’s address, making the emails appear to come from an address of the targeted organization.
The URL format follows an assembly system that considers the target organization’s domain to make it appear as if the site is a legitimate subdomain.
The redirection process first leads the victim to a CAPTCHA check, which is designed to bypass antiphishing tools and increase the illusion of legitimacy for the victims.
The CAPTCHA check was also used in a campaign of 2020 that ZScaler’s ThreatLabZ researchers have analyzed and it remains an effective intermediate step that helps increase phishing success rates.
Once the users go through this step, they are redirected to a real-looking phishing page that steals Microsoft Office 365 accounts.
Those who are careful enough would note that the domain of the login page does not belong to Microsoft or their organization and is one of the following:
This is why before submitting, or even before start typing their username and password, users should always check and confirm that they are on a real login portal and not a fake one.
Usually recipients are logged into the account, which should make a suspicious request to log in again to listen to the voicemail.
Voicemail themed phishing using HTML attachments is used since at least 2019but it is still effective, especially on careless workers.