Security researchers at McAfee Labs recently uncovered a phishing campaign that involved the use of fake voicemail messages and three phishing kits to lure Office 365 users at targeted organisations to fill in their credentials on fake login pages.
The arrival of the phishing campaign targeting Office 365 users was observed by security researchers over the past few weeks who noted that several high-profile companies across sectors such as IT services, manufacturing, energy, healthcare, transportation, financial, legal, government, education, and infrastructure sectors were targeted.
The campaign involved hackers sending emails to Office 365 users, stating that they had missed a call from a certain number on a certain date and in order to access their voicemail, they needed to click on a link provided in the email.
The researchers found that the phishing emails contained HTML files as attachments that redirected users to a phishing website. Many of these HTML files contained audio recordings of someone talking to convince victims to believe they were listening to the beginning of a legitimate voicemail.
The phishing website where victims were redirected contained a pre-populated email address field, a Microsoft logo, a password field and a "Sign in" tab. Once victims entered their Office 365 passwords, they were redirected to the office.com login page.
According to McAfee Labs, the phishers used four filenames for the attachments, namely:
10-August-2019.wav.html [Format: DD-Month-YYYY.wav.html]
14-August-2019.html [Format: DD-Month-YYYY.html]
Voice-17-July2019wav.htm [Format: Voice- DD-MonthYYYYwav.htm]
Audio_Telephone_Message15-August-2019.wav.html [Format: Audio_Telephone_MessageDD-Month-YYYY.wav.html]
Hackers creating a sense of urgency among Office 365 users by using fake voicemails in phishing emails
The firm noticed that using this technique, hackers were able to harvest email addresses, passwords, IP addresses, and location of Office 365 users using three different phishing kits, all of which appear quite similar but can be differentiated on the basis of HTML codes and the parameters which were accepted by the PHP script.
"The goal of malicious actors is to harvest as many credentials as possible, to gain access to potentially sensitive information and open the possibility of impersonation of staff, which could be very damaging to the company. The entered credentials could also be used to access other services if the victim uses the same password, and this could leave them open to a wider of range targeted attacks," wrote researchers Oliver Devane and Rafael Pena in a blog post.
"What sets this phishing campaign apart from others is the fact that it incorporates audio to create a sense of urgency which, in turn, prompts victims to access the malicious link. This gives the attacker the upper hand in the social engineering side of this campaign.
"It is highly recommended to use Two-Factor Authentication (2FA) since it provides a higher level of assurance than authentication methods based on Single-Factor Authentication (SFA), like the one that many users utilise for their Office 365 accounts. When possible for enterprise customers, we recommend blocking .html and .htm attachments at the email gateway level so this kind of attack will not reach the final user," they added.
Corin Imai, senior security advisor at DomainTools, said that unfortunately, there is no security solution that can unequivocally protect an organisations’ digital assets from an employee clicking on the wrong link or entering credentials in a malicious form received via email.
"There are mitigations that block out the bulk of fraudulent emails and warn users when they are opening an external link. These can be a valid tool, especially for SMEs that might not have the resources to run extensive training programmes for their employees. Preferably, however, organisations should aim for prevention on both fronts and introduce email security courses, security drills and contingency plans for the eventuality of a successful breach," he added.