Fake voicemails used for MS Office 365 credentials harvesting

Fake Voicemails Vishing MS Office365 Credentials Harvesting

A newly discovered phishing campaign has been compromising US entities such as the military, manufacturing, healthcare, pharmaceutical and security software sectors to harvest Microsoft Office 365 credentials.

The cybercriminal operation is currently active, and its operators use fake voicemail notifications to bait targets into accessing a malicious HTML attachment. Based on reports, the recently discovered phishing campaign’s TTPs overlap with another operation studied by the researchers a couple of years ago.

The adversaries leveraged an email service in Japan to redirect their messages and impersonate the sender’s address, making it appear that the emails came from an address owned by the targeted organisation.

The phishing email has an attached HTML with a music note character in its title to make it look like the file is an audio clip. However, the file contains an obfuscated JS code that will redirect the target to a phishing website.

Subsequently, the URL format will trace an assembly system that considers the targeted organisation’s domain to show it as if the site is an authentic subdomain. The redirection method will take the target to a CAPTCHA check, which the threat actors develop to avoid getting checked by anti-phishing tools and increase the authenticity of the compromised website.

Oddly enough, the CAPTCHA feature was also used by the 2020 threat campaign and has been influential throughout the phishing campaign.


MS Office 365 accounts are at risk because of this new voicemail campaign.


Once the target passes the CAPTCHA step, they will again be redirected to a legitimate-looking phishing page that can harvest Microsoft Office 365 accounts and credentials.

Careful users would likely notice that a domain of the login page does not belong to Microsoft or an organisation since the domain names are coded as random words, which do not complement Microsoft.

Therefore, users should always double-check the login portal before entering their username and password to avoid getting affected by these phishing attacks. Moreover, these phishing campaign types will likely request a relog to confirm that their target has used the correct credentials for their accounts.

Phishing emails that are voicemail-themed with HTML attachments have been used for more than a couple of years ago. However, threat actors still use this kink of attacks since it shows how effective it is against numerous targets.

About the author

Leave a Reply