Office 365 users are a constant target for phishers because their accounts can give access to high-value company data and systems.
Hackers have now stepped up their game with new attacks that use audio files masquerading as voicemails to trick users into exposing their passwords.
The new campaign was observed over the past few weeks by researchers from security firm McAfee and targeted organisations from many industries including services, finance, IT, retail, insurance, manufacturing, infrastructure, energy, government, legal, education, healthcare and transportation.
“A wide range of employees were targeted, from middle management to executive level staff,” the McAfee researchers said in a report released today. “We believe that this is a ‘phishing’ and ‘whaling’ campaign.”
Whaling is a type of phishing that is aimed at senior executives, department managers and other high-value targets inside organisations by using lures they are likely to be interested in and fall for.
How the Office 365 phishing campaign works
The rogue emails contain Microsoft’s logo and inform recipients that they’ve missed a call from a particular phone number. The messages include information such as caller ID, date, call duration, organisation name and a reference number.
The emails have HTML attachments, which, if opened, redirect users to a phishing site that tells them Microsoft is fetching their voicemail and asks them to login to access it.
During this step, the page plays a short audio recording of someone speaking that is meant to trick victims into believing they’re listening to the beginning of a legitimate voicemail.
“What sets this phishing campaign apart from others is the fact that it incorporates audio to create a sense of urgency which, in turn, prompts victims to access the malicious link,” the researchers said. “This gives the attacker the upper hand in the social engineering side of this campaign.”
Once the recording is played, users are redirected to another rogue website that mimics the Office 365 login page and where the email address is automatically pre-populated to add to the attack’s credibility. If victims input their passwords, they receive a successful login message and are redirected to the legitimate office.com website.
Commercial phishing kits used
The McAfee researchers have determined that phishers are launching these attacks with the help of three different phishing kits that are available to purchase on the underground market and are specifically designed for this purpose. One of them is even called Voicemail Scmpage 2019.
The wide availability of these kits on cybercriminal forums lowers the barrier of entry for many cybercriminals. Since little knowledge or skill is required to launch these attacks, it’s likely they will become even more common.
Impact and mitigation for fake voicemail phishing
Some of the indicators for these phishing attempts are email attachments with the format DD-Month-YYYY.wav.html, Voice-DD-MonthYYYYwav.htm or Audio_Telephone_MessageDD-Month-YYYY.wav.html. The domains used to host the fake voicemail pages appear to have randomly generated names, but a list of them is included in the McAfee report.
Compromised Office 365 credentials are valuable to hackers because a single Microsoft account will typically have access to a wide range of services and data, depending on the company’s Office subscription.
Compromised accounts can also be used to impersonate senior staff and trick other employees from the same organisation into performing actions that result in financial loss for the company or additional compromises.
The FBI estimates that business email compromise (BEC) scams have cost organisations worldwide over $26 billion over the past three years.
IT administrators are encouraged to turn on two-factor authentication (2FA) for their organisations’ Office 365 accounts. Phishing attacks that bypass 2FA are possible, but require more resources and special infrastructure to pull off.
Training employees on how to identify phishing emails and avoid clicking on suspicious links or opening attachments from unknown senders should be the first line of defence for security-aware organisations.