The cybercriminal is targeting office 365 constantly as they can get access to high-value company data and systems. The attackers have used a new game to attack office 365 by using an audio file hidden as a voicemail to trick the user and their password.
Office 365 observed the campaign over the past few weeks, and the targeted organization were finance, IT, retail, insurance, manufacturing, infrastructure, energy, government, legal, education, healthcare, and transportation. The targeted staffs were from middle management and executive level. The security experts believe that this is a phishing and whaling campaign.
How the Office 365 phishing campaign works
The recent target was made through an email, which contains Microsoft’s logo and informs the users that they have missed a call from a particular phone number. The email also includes the caller ID, date, call duration, organization name, and reference number.
The message, if opened, redirects the users to a phishing site and asks them to login the account to access the voicemail. During the process, a video is played on the site, which tricks the victim in believing that they are listening to a legitimate voicemail.
After playing the audio, the victims are directed to a rouge website, which mimics to office 365 login pages. Once the victim visits the website, the email address is pre-populated to add to the attack’s credibility. After entering the password, the victim receives a successful login message and redirect to office.com.
Commercial phishing kits used
According to research, it was concluded that the cybercriminals are using three different phishing tools or equipment. These kits are easily available in the underground market and are specially designed for phishing attacks. The popular among them is voicemail Scmpage 2019.
Impact and mitigation for fake voicemail phishing
The indicators for these phishing attempts are that the email has attachments which follow the formats like DD-Month-YYYY wav.html, Voice-DD-MonthYYYYwav.htm or Audio_Telephone_MessageDD-Month-YYYY.wav.html. The website that hosts the fake voicemail pages appear to have randomly generated names.
The cybercriminal used compromised Office 365 credentials because they can get access to a wide range of data and information through a single Microsoft account. The attackers also use the compromised account to trick the employees by pretending to be a senior staff from the same firm. They use it to perform specific actions that result in a financial loss for the company.