A new phishing campaign has been targeting U.S. organizations in the military, security software, manufacturing supply chain, healthcare and pharmaceutical sectors to steal Microsoft Office 365 and Outlook credentials. The operation is ongoing and the threat actor behind it uses fake voicemail notifications to lure victims into opening a malicious HTML attachment. The threat actors leverage email services in Japan to route their messages and spoof the sender’s address, making it look like the emails originate from an address belonging to the targeted organization. The email has an HTML attachment that uses a music note character in the filename to make it appear as if the file is a sound clip. In reality, the file contains obfuscated JavaScript code that takes the victim to a phishing site. The URL format follows an assembly system that considers the targeted organization’s domain to make it appear as if the site is a legitimate subdomain.