Stay informed about cyber awareness training topics and mitigate risk in your organisation.

New Office 365 Phishing Scam Uses Real Audio Recordings to Trick Victims

A new Office 365 phishing campaign is luring victims using a fake voicemail message. The scam aims to redirect recipients to a spoof webpage that prompts them to enter their login credentials. 

The email informs Microsoft users that they have a missed call and instructs them to log into their account to access the voicemail message. Similar to other phishing scams, the fraudulent email encourages recipients to act right away, explaining “This is an automated message and needs immediate attention.” 

New Office 365 Phishing Scam Uses Real Audio Recordings to Trick Victims

However, what sets this phishing campaign apart from others is that it incorporates audio to create a sense of urgency which prompts victims to access the malicious link. Attached to the email is a file that automatically plays an audio recording that sounds to be a genuine voicemail saying “Hello”. 

After the recording ends, recipients are told that in order to hear the rest of the voicemail, they need to log in with their Office 365 credentials. They are then redirected to a phishing website that resembles the Microsoft login page and requests their details. With the aim of harvesting as many credentials as possible, the fake page will give cybercriminals access to personal information and potentially allow them to access other accounts owned by the victim. 

New Office 365 Phishing Scam Uses Real Audio Recordings to Trick Victims

In a means to add credibility, the page is prepopulated with the recipient’s email address. Victims who enter their password credentials are then sent to another page saying the account was “successfully confirmed” before they’re redirected to the official Microsoft Office login page. 

New Office 365 Phishing Scam Uses Real Audio Recordings to Trick Victims

Unfortunately, this is not the first time that Microsoft Office users have been targeted in recent months. Back in August, a phishing scam issued fake alerts to Microsoft 365 domain administrators, in a bid to compromise their accounts. However, the use of audio in this scam indicates that cybercriminals are adopting more sophisticated techniques. 

Regardless of these emerging phishing techniques, there are a number of ways you can protect yourself from suspected phishing scams: 

  • Never click on links or download attachments from unknown sources.  
  • Always verify the security of a website by checking the URL.  
  • Pay close attention to the spelling of an email or web address, if there are any inconsistencies, delete immediately.  
  • Implement two-factor authentication (2FA) for extra protection. 
  • Install the latest anti-virus software solutions on your devices.  
  • Use strong passwords to reduce the chance of devices being hacked and use different passwords for different accounts.  
  • Question the validity of any email that asks you to submit personal or financial information.  

Find Out More  

For further information on how you can protect your business from phishing attacks, download our free Ultimate Guide to Phishing.

Our award winning MetaPhish platform provides a powerful defence against phishing and ransomware attacks by training employees how to identify and respond appropriately to these threats. It has helped protect organisations across the world from this ongoing threat and provides the first line of defence against phishing attacks. Contact us for further information and learn how we can help protect your business.  

about the author

sharing is caring

Share on linkedin
Share on twitter
Share on facebook

you might enjoy reading these

Request Demo

The personal information that you provide to us in this form will only ever be used by MetaCompliance (as the Data Controller) for the following specifically defined purposes:

  • email you content that you have requested from us
  • with your consent, occasionally email you with targeted information regarding our service offerings
  • continually honour any opt-out request you submit in the future
  • comply with any of our legal and/or regulatory obligations