Researchers have observed a new phishing campaign using a fake voicemail message to lure victims into entering their Microsoft Office 365 credentials.

Researchers from McAfee Labs detected an increase in the usage of phishing kits targeting Microsoft Office 365 credentials. 

In the campaign, an email is sent, pretending to be from Microsoft Office 365 claiming that a call was missed and that the caller left a voicemail.

Attached to the email is an HTML attachment, which when opened will automatically play an audio recording which only plays a partial voicemail saying hello. 

After the audio file finishes playing, the user is redirected to a generic Microsoft landing page – whereby the user is prompted to login to hear the full recording. However, when the user enters their credentials they are redirected to instead of hearing a full voicemail. 

At this point, the threat actors have stolen the user’s login credentials. 

In their report, McAfee stated: “we were surprised to observe three different phishing kits being used to generate the malicious websites. All three look almost identical but we were able to differentiate them by looking at the generated HTML code and the parameters which were accepted by the PHP script.”

Two of the phishing kits are actively being sold on the dark web and are named “Voicemail Scmpage 2019” and “Office 365 Information Hollar”, while the third phishing kit is unnamed. McAfee observed the third unnamed kit to be the most prevalent. 

The phishing emails are targeting a wide range of industries including Service (18%), Financial (12%) and IT Services (12%). The least targeted industry is Charity (1%). 

The attacks are also targeting various employees, from middle management to executive level staff. 

Researchers have dubbed this campaign as the “Phishing” and “Whaling” campaign. 

“The goal of malicious actors is to harvest as many credentials as possible, to gain access to potentially sensitive information and open the possibility of impersonation of staff, which could be very damaging to the company. The entered credentials could also be used to access other services if the victim uses the same password, and this could leave them open to a wider of range targeted attacks.

“What sets this phishing campaign apart from others is the fact that it incorporates audio to create a sense of urgency which, in turn, prompts victims to access the malicious link. This gives the attacker the upper hand in the social engineering side of this campaign.

“We urge all our readers to be vigilant when opening emails and to never open attachments from unknown senders. We also strongly advise against using the same password for different services and, if a user believes that his/her password is compromised, it is recommended to change it as soon as possible.”