2 min Security

Office 365 phishing campaign uses fake voicemails

Office 365 phishing campaign uses fake voicemails

Cybercriminals are constantly finding new ways to steal data from victims. For example, a new phishing campaign uses fake voicemail messages to convince targets to surrender their Office 365 credentials.

The campaign was discovered by McAfee security researchers, reports SiliconAngle. The campaign basically works in the same way as other campaigns: the cybercriminal selects targets – mostly middle and high-level managers in an organisation – and sends them an e-mail.

However, the content of the e-mail is different from that of other phishing attacks. In this case, the legitimate looking e-mail consists of a message stating that the recipient has received a voice message. The e-mail also contains information about that so-called message, such as the date, the duration of the call and the name of the organisation. This makes the mail seem even more legitimate.

Stealing data

The e-mail then tries to get the target to click on an attachment. If the victim does so, he or she will be placed on a phishing website where it says that Microsoft will retrieve the message. The user just has to log in first to do so. In this way, his/her login details are taken.

Nowadays, phishing receives a lot of attention, so there is a chance that users will become suspicious at that point. However, cybercriminals seem to have thought about this too. A short audio recording of the so-called voicemail is played, which sounds like a real voicemail. This way, someone is convinced to log in anyway.

Preventing an attack

Carrying out the attack seems easy: hackers can simply buy one of three kits especially for this purpose off the dark web. Therefore, there is a good chance that many such attempts will be made.

According to the researchers, the criminals focus on fifteen different industries. These include the financial sector and IT services.

Fortunately, companies can take measures to prevent them from becoming the victim of an attack. Most important is to train staff to ensure that they recognise and are prepared for phishing attacks.