A new Office 365 phishing campaign is luring victims using a fake voicemail message. The scam aims to redirect recipients to a spoof webpage that prompts them to enter their login credentials.
The email informs Microsoft users that they have a missed call and instructs them to log into their account to access the voicemail message. Similar to other phishing scams, the fraudulent email encourages recipients to act right away, explaining “This is an automated message and needs immediate attention.”
However, what sets this phishing campaign apart from others is that it incorporates audio to create a sense of urgency which prompts victims to access the malicious link. Attached to the email is a file that automatically plays an audio recording that sounds to be a genuine voicemail saying “Hello”.
After the recording ends, recipients are told that in order to hear the rest of the voicemail, they need to log in with their Office 365 credentials. They are then redirected to a phishing website that resembles the Microsoft login page and requests their details. With the aim of harvesting as many credentials as possible, the fake page will give cybercriminals access to personal information and potentially allow them to access other accounts owned by the victim.
In a means to add credibility, the page is prepopulated with the recipient’s email address. Victims who enter their password credentials are then sent to another page saying the account was “successfully confirmed” before they’re redirected to the official Microsoft Office login page.
Unfortunately, this is not the first time that Microsoft Office users have been targeted in recent months. Back in August, a phishing scam issued fake alerts to Microsoft 365 domain administrators, in a bid to compromise their accounts. However, the use of audio in this scam indicates that cybercriminals are adopting more sophisticated techniques.
Regardless of these emerging phishing techniques, there are a number of ways you can protect yourself from suspected phishing scams:
- Never click on links or download attachments from unknown sources.
- Always verify the security of a website by checking the URL.
- Pay close attention to the spelling of an email or web address, if there are any inconsistencies, delete immediately.
- Implement two-factor authentication (2FA) for extra protection.
- Install the latest anti-virus software solutions on your devices.
- Use strong passwords to reduce the chance of devices being hacked and use different passwords for different accounts.
- Question the validity of any email that asks you to submit personal or financial information.
Find Out More
For further information on how you can protect your business from phishing attacks, download our free Ultimate Guide to Phishing.
Our award winning MetaPhish platform provides a powerful defence against phishing and ransomware attacks by training employees how to identify and respond appropriately to these threats. It has helped protect organisations across the world from this ongoing threat and provides the first line of defence against phishing attacks. Contact us for further information and learn how we can help protect your business.