Beware!! New Voicemail Phishing Attack That Aims to Steal Office365 Login Credentials

Recently, the threat actors have launched a new voicemail phishing campaign in an attempt to steal Outlook credentials and login credentials to Microsoft Office 365. 

The following are the sectors and organizations in the U.S. that were targeted in conjunction with this campaign:

  • Military
  • Security software
  • Manufacturing supply chain
  • Healthcare
  • Pharmaceutical

The goal of this ongoing malicious campaign is to lure victims into opening a malicious HTML attachment via fake voicemail notifications which are being used by the hackers to lure their victims. Researchers said.

The malicious campaign

There are some similarities between TTPs of the recently found campaign and one analyzed in the mid-2020 timeframe. To ensure their communications are routed by spoofing the address of the sender, the threat actors use email services in Japan. 

The emails look as if they are coming from an address that belongs to the organization you are trying to target.

Here the email used by the threat actors contains an attachment that appears to be a sound clip because of the use of a music note character in the naming convention. 

A phishing site is actually hidden within the obfuscated JavaScript code contained in the file. In order to appear as if the site is a legitimate subdomain of the targeted organization, the URL format follows an assembly method based on the domain of the company being targeted.

In the course of this redirection, the victim is directed to a CAPTCHA verification page. In order to prevent suspicious activity from being spotted by anti-phishing tools and give the victim a false sense of legitimacy, this check is intended to ensure suspicious activity is not identified.

Upon passing the above criteria, the user will be redirected to a phishing page that appears to be genuine, which will then steal their Microsoft Office 365 credentials.

Domains used

Here below we have mentioned all the domains used by the threat actors:-

  • briccorp[.]com
  • bajafulfillrnent[.]com
  • bpirninerals[.]com
  • lovitafood-tw[.]com
  • dorrngroup[.]com
  • lacotechs[.]com
  • brenthavenhg[.]com
  • spasfetech[.]com
  • mordematx[.]com
  • antarnex[.]com

Recommendation

As a result, users should always make sure they are on the right login portal before filling in and submitting their username and password.

There is a standard practice in most businesses that recipients log into their accounts. Therefore, a request for them to log in once more to hear the voicemail might seem suspicious.

It’s not new to use HTML attachments as part of phishing to disguise Voicemail-themed scams. It’s been happening since at least 2019, and it’s still quite effective, particularly when employees are careless in handling the email.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.