Office 365 provides users the ability to use all traditional Office Suite applications such as Word, PowerPoint, Excel, Access, Outlook, etc. on the go. This widespread usage acts as a prime reason for its popularity among varied businesses and working professionals. But this popularity has attracted a lot of attention from hackers and the dark web world.
According to a blog published by McAfee Labs Senior Security Researcher, Oliver Devane, Voicemail Phishing attacks using different phishing kits have been on a steady incline in recent weeks. While voicemail phishing technique is not alien to anyone but using multiple phishing kits to enable a voicemail phishing attack is a first of its kind.
Oliver further explains the chronology of events in this phishing attack:
- The attack is initiated by sending a fake voicemail attachment to the user through an email. This email informs the user about a missed phone call, along with a request to login to their account to access their voicemail.
The following filenames used for attachments of phishing emails act as its indicators:
- 10-August-2019.wav.html [Format: DD-Month-YYYY.wav.html]
- 14-August-2019.html [Format: DD-Month-YYYY.html]
- Voice-17-July2019wav.htm [Format: Voice- DD-MonthYYYYwav.htm]
- Audio_Telephone_Message15-August-2019.wav.html [Format: Audio_Telephone_MessageDD-Month-YYYY.wav.html]
On accessing the attached HTML file the user is redirected to a fake phishing webpage. While redirecting an audio recording is played making the user believe the authenticity of the received voicemail message. On inspecting the source code of this audio file the following HTML code was discovered:
<audio autoplay hidden>
<source src=”http://soundbible.com/mp3/Hello-Soundbible.com-218208532.mp3” type=”audio/mp3”>
Once the fake phishing webpage is loaded the user can see a Microsoft logo and respective email address prepopulated on the landing page replicating Microsoft’s login landing page. This screen prompts a user to enter the password stating, “Enter Password. Because you’re accessing sensitive info, you need to verify your password”.
When the password is entered, a success message is displayed on the screen and the user is further redirected to the office.com login page.
As mentioned earlier, voicemail phishing is not new to the world of cybersecurity. But this time around attackers have used not one or two, but three different phishing kits. McAfee’s report makes a mention of these three kits, namely, Voicemail Scmpage 2019, Office 365 Information Hollar, and the third one is unnamed yet, has a close resemblance to an old phishing kit used to target users in 2017. These kits are phishing users’ credentials such as email, password, IP Address, and Location.
McAfee also stated that its customers using VSE, ENS, Livesafe, WebAdvisor, and MGW are protected against these phishing campaigns as it has already taken preventive measures. McAfee has advised its users to be extra vigilant about emails and corresponding attachments received from unknown senders and requested them to use Two-Factor Authentication (2FA) instead of Single-Factor Authentication (SFA).