Phony Voicemail Links Steal Employee Credentials From Office 365 And Outlook Users
By: Jim Stickley and Tina Davis
July 26, 2022
Most of us know phishing emails and fake texts are a hacker’s calling card for stealing valuable PII (personally identifiable information). But recently, researchers at Zscaler cloud security sounded the alarm about an unusual malware campaign using voicemail-themed email phishing as the primary hook for cyberattacks. It’s only after Zscaler fell victim to this campaign that the company felt compelled to study it further.
Zscaler finds this cybercrime targets employees in the U.S. using Microsoft Office 365 and the Outlook email service. Hacker crosshairs are trained on enterprises relying on particularly sensitive and critical data to function. For example, these prime targets include software security developers, manufacturing, and shipping supply chain enterprise, the U.S. military, and healthcare and pharmaceutical organizations.
How the Attack Unfolds
This unusual approach starts with a simple voicemail alert and ends with stolen employee credentials. Zscaler finds that potential victims get an email announcing they’ve received a voicemail. The hacker uses the company’s name in the sender’s email address to feign legitimacy and lower the employees guard. Successfully exploiting a staffer’s trust is when the real trouble starts.
The email provides a link to open and hear the voicemail contents. Opening the link first provides a CAPTCHA pop-up that when completed, evades anti-phishing tools. That done, the attachment then sends the victim to a spoofed, overlay web page that duplicates the real Microsoft or Outlook login page. The significant difference here is that hackers control these copycat web pages.
Once the staffer enters their sign-in credentials, the hacker hijacks them and overtakes the account. These stolen employee accounts are widely used throughout larger organizations and bad actor’s count on that. The damage they’ll do with account takeovers is something only they know for sure.
Keeping it Real
Staying safe from these sneaky cyberattacks is possible using a healthy dose of cyber-smarts. Educating staffers to spot email phishing and other hacking tricks should be ongoing. Cybercrime methods are continually evolving, and attacks tend to trend in popularity. Keeping employees updated on the latest cyber-swindles can be invaluable to enterprise security. Additional security steps are listed.
- Never open email and text attachments you weren’t expecting or are from unknown senders, unless you can personally identify the source is legitimate.
- Always keep software, apps and devices, and operating systems updated with the latest versions and security patches.
- Always use two-factor (2FA) or multi-factor (MFA) options when available. They each provide at least one additional layer of security that verifies the user’s identity is (or isn’t) whom they claim to be.