Security firm Armorblox has discovered a new vishing (voice phishing) campaign that aims to impersonate Microsoft to gather information from unsuspecting victims. The campaign involves the threat actor sending two separate emails from a Gmail account that bypasses verification checks. These emails included copycat invoices for Microsoft Defender subscriptions that the recipient did not pay for, along with a toll-free phone number to call to take action on the invoice. The phone call is then picked up by a “representative” that guides the caller by instructing them to install the AnyDesk application to get a refund for the purchase. Instead of a refund, AnyDesk will allow the attacker remote access to the victim’s devices and make it easy for them to install malware or steal credentials. Vishing attempts have been steadily increasing throughout the year and this is just another example of the techniques that are used.
Vishing Technique Dupes Recipients by Posing as Microsoft
Armorblox included recommendations for defending against these types of attacks including:
1. Supplement your native email security. The initial emails described by Armorblox snuck past the Google Workspace email security. For better protection, enhance your built-in email security with additional layers that protect against more advanced techniques.
2. Look out for social engineering cues. With email overload, it’s easy to be fooled by a malicious email that appears legitimate at first glance. Instead, engage with such emails in a methodical way. Inspect the sender’s name, email address and the language used within the email. Check for any inconsistencies in the message leading you to ask yourself such questions as: “Why is a Microsoft email being sent from a Gmail account?” and “Why are there no links in the email, even in the footer?”
3. Resist sharing sensitive information over the phone. Be wary of any unsolicited caller who asks for sensitive information or tells you to download something over the phone. If you feel the phone call is a scam, simply hang up. If the person provides a call-back number, don’t call it. Instead, search the company’s website for a customer service number and call that number instead.
4. Follow password best practices. To protect your online accounts, don’t reuse your passwords, avoid passwords that tie into your date of birth or other personal events, don’t use generic passwords, and rely on a password manager to create and maintain complex passwords. Further, set up multi-factor authentication (MFA) on your business and personal accounts wherever possible.