Office 365 Credentials Targeted in Fake Voicemail Scam

Small and medium sized business are being targeted at an increasing rate each year.  2021 was the costliest year for data breaches in the previous 17 years, and 2022 is on trac to outpace even that.  Phishing scams have become so common that one in every 99 emails is a phishing email.

As phishing scams have become more common, cyber criminals are trying new methods to try to better disguise phishing email’s to look more legitimate.  One such method which was originally found in 2019 and later was found being used again in 2021 was a phishing scam targeting Office 365 users that was disguised as a voicemail.

How The Phishing Email Worked

The phishing campaign targeted U.S. organizations in the military, security software, manufacturing supply chain, healthcare and pharmaceutical sectors.  The target of the campaign was Microsoft Office 365 and Outlook credentials.

Researchers at a cloud security company called ZScaller discovered the campaign and found that it was similar to a previous operation found in mid-2020.  Cyber criminals utilize email services in another country, this time in Japan, to rout their messages and then spoof the sender’s address to make it look like it was an email from the recipient’s organization.

Spoofing is a method used by cybercriminals where they disguise their email from which they send from to appear to be someone else.  Common tricks used when spoofing an email is to use common misspellings, or difficult to read characters to make an otherwise unsuspecting victim think they are speaking with someone else in an email.  A spoofed domain trying to appear to be from Someone@support.microsoft.com may appear as Someone@suport.microsof1.com

If your not careful, you may miss the missing p in support, or the 1 at the end of the domain.

Cybercriminals would employ methods like the above spoofing message to disguise an email to appear to be a voicemail by adding a music note as a character in the spoofed email header to make it appear as if the file was a sound clip.  Actually, the file contained some JavaScript code that took the victim to a phishing site.

A Phishing Site is a webpage that is disguised to look like it’s a legitimate page from a well-known organization, in this case it was a webpage that looked like a Microsoft 365 Login page.  These sites are intended to collect the data the victim inputs.  When the user is brought to the phishing page disguised as a Microsoft login portal, the data the victim enters into the Username and Password field gets transmitted to the cybercriminal, and the phishing scam is complete.

This particular scam first had users go to a webpage that used some more JavaScript code to appear to be a webpage from the victims’ own company claiming to have a Voicemail waiting.  The cyber criminals went even further by implementing a fake CAPTCHA check, which was designed to evade anti-phishing tools and increase the illusion of legitimacy to the victim.

Following the CAPTCHA check they would be brough to a Microsoft Login page, where they would enter their credentials.  However the Page would typically contain a improper URL at the top, normally using URL’s like: briccorp.com, bajafullfillrnent.com, dorrngroup,com, and some others.

Avoiding Phishing Scams Like These

There are several steps that must occur first before a phishing scam like the one above can gain your credentials.  By following some basic practices you can be aware of and avoid phishing scams like these.

• Always verify the domain of the person you are communicating with. Checking the domain in the message header will reveal what organization the person is sending from.  If someone from Microsoft is emailing you, the domain following the @ symbol should clearly state they are with Microsoft.
• Never click links in an email that is sent to you without verifying their destination. If sent a hyperlink in an email, you can always hover the mouse cursor over the link without clicking it to reveal where it will take you. If the website is not familiar best practices is to delete the email.
• Do not automatically download images or content in emails that are sent to you. Many email clients such as Outlook by default do not automatically download email content such as images, or run code embedded in the messages.  It is best that you do not download image content or run embedded code in emails to prevent potential malware from being delivered to your machine this way.

Besides the above methods which can go a long way in preventing you from falling victim to phishing scams, Natural Networks can also help with added protections like a Spam Filter, or implementing blocks from known bad web sources with DarkCubed.

These tools can help prevent spam, malware, and phishing emails from reaching your inbox, and helping to stop phishing scams before you even notice them.  If you’re interested in learning more about how Natural Networks can provide your organization with email and cyber security, give us a call today!