How the Office 365 phishing campaign works

The rogue emails contain Microsoft’s logo and inform recipients that they’ve missed a call. The messages include information such as caller ID, date, call duration, organization name and a reference number.

The emails have HTML attachments, which, if opened, redirect users to a phishing site that tells them Microsoft is fetching their voicemail and asks them to login. During this step, the page plays a short audio recording meant to trick victims into believing they’re listening to a legitimate voicemail.

Once the recording is played, users are redirected to another rogue website that mimics the Office 365 login page. If victims input their passwords, they receive a successful login message and are redirected to the legitimate office.com website.

Commercial phishing kits used

The McAfee researchers have determined that phishers are launching these attacks with the help of three different phishing kits available on the underground market. One of them is even called Voicemail Scmpage 2019.

The wide availability of these kits lowers the barrier of entry for many cybercriminals. Since little knowledge or skill is required to launch these attacks, it’s likely they will become even more common.

Impact and mitigation for fake voicemail phishing

Some of the indicators for these phishing attempts are email attachments with names like DD-Month-YYYY.wav.html.

Compromised Office 365 credentials are valuable to hackers because a single account can grant access to a wide range of services. The FBI estimates that business email compromise (BEC) scams have cost organizations worldwide over $26 billion over the past three years.

IT administrators are encouraged to turn on two-factor authentication (2FA) for their organizations’ Office 365 accounts. Training employees on how to identify phishing emails should be the first line of defense.