Fake voicemail notifications aid scammers to collect Office 365 login credentials
Heard of phishing attacks? There’s been an update!
They are no longer your usual garden-variety email-based attacks. As the average customer becomes increasingly suspicious of unauthorized emails in their inboxes, malicious attackers get more creative and expand their arsenal of weapons. The latest strategy leverages the sense of urgency created by voicemails to collect login credentials.
How did this happen?
McAfee, a leading cybersecurity solutions provider, uncovered a scamming campaign which targets Office 365 users. It involves the use of forged voicemail messages that appear to be from staff members across a variety of verticals, including retail, finance, insurance, IT services, and others. Researchers have termed this kind of attack ‘a whaling campaign’ on account of its broad reach and impact.
The attack commences fraudulent email attachments in form of an HTML file. The email informs the target that they have a missed phone call, and requests them to login to their account in order to access the voicemail. When opened, these attachments play a fake voice message that redirects the unsuspecting victim to a phishing website that prompts the user to login to their account. Thereafter, the victim receives a successful login message and is redirected to the legitimate Microsoft Office.com website. Unknown to the victim, this simple set of steps has allowed hackers to access login credentials, which are used to impersonate staff members. This enables scammers into access internal systems. Other data that is stolen via this attack includes passwords, email addresses, location, and IP addresses.
According to researchers at McAfee, the consequences can become increasingly severe if the targeted person reuses the same password as it makes the user more vulnerable to other attacks.
This campaign illustrates the adverse impacts of not choosing the right security solutions. Strong two factor authentication and powerful anti-phishing measures are essential in keeping your network and identity from being misused. This is in addition to a dynamic cybersecurity solution that responds to the need of the hour by providing constant patch updates, regular VAPT checks and round the clock network health check.
Logix has a core competency in securing over half a million mailboxes and safeguard your network and brand against Advanced Malware (known and unknown Malware), Spear-phishing, Domain Impersonation/ Domain Spoofing, Zero day, Whaling, Targeted Email threats, Ransomware, Crypto ware, Business Email Crime (BEC) attacks. We defend your inbox with our multi layered, multi-tiered Security approach, multiple threat intelligence detection & prevention tools and provide essential configuring, migrating & supporting email security solutions tailored to unique client requirements.
Visit our Email Security page to know more about what Logix can do for you!