Threat Watch

Microsoft 365 credentials targeted in new fake voicemail campaign

A new phishing campaign has been targeting U.S. organizations in the military, security software, manufacturing supply chain, healthcare and pharmaceutical sectors to steal Microsoft Office 365 and Outlook credentials. The operation is ongoing and the threat actor behind it uses fake voicemail notifications to lure victims into opening a malicious HTML attachment. The threat actors leverage email services in Japan to route their messages and spoof the sender’s address, making it look like the emails originate from an address belonging to the targeted organization. The email has an HTML attachment that uses a music note character in the filename to make it appear as if the file is a sound clip. In reality, the file contains obfuscated JavaScript code that takes the victim to a phishing site. The URL format follows an assembly system that considers the targeted organization’s domain to make it appear as if the site is a legitimate subdomain.

ANALYST NOTES

Phishing remains one of the most common sources of initial compromise for organizations, so it is crucial to train employees to spot and report suspicious emails. In this attack, victims can spot the spoofed sender’s address, which attempts to make it appear as if it came from within their own organization. One can check for signs this information may be spoofed by looking at the Email header, at the “From”, “Reply-To” and “Return-Path” fields. Additionally, the credential harvesting page, which presents as a Microsoft 365 login page, was hosted on a variety of non-Microsoft domains. Malicious macros in attachments and credential harvesting pages are two of the most common methods threat actors employ in phishing attacks.

https://www.bleepingcomputer.com/news/security/microsoft-365-credentials-targeted-in-new-fake-voicemail-campaign/