Microsoft Office is a favored attack carrier for many bad actors, with Office 365 taking the brunt of global phishing attacks. Earlier this year, Kaspersky Lab claimed 70% of all malware attacks go through Office. According to a new report, a recent fake voicemail targeting high-profile organizations was hunting for Office 365 credentials to exploit.
With this latest phishing attack, attackers are trying to trick unsuspecting users into giving their Office 365 details.
McAfee researchers says the victims are “high profile companies”, with a focus on the entertainment, real estate, and tourism sectors.
“The goal of malicious actors is to harvest as many credentials as possible, to gain access to potentially sensitive information and open the possibility of impersonation of staff, which could be very damaging to the company,” said Oliver Devane and Rafael Pena, in research released on Thursday. “The entered credentials could also be used to access other services if the victim uses the same password. This could leave them open to a wider of range targeted attacks.”
Like most phishing campaigns, the attack method is simple. A potential victim receives and email saying they have a missed phone call. This email includes a link for them to login to their account to hear a voicemail.
However, this link has an HTML file that redirects users to a phishing website. Most well-constructed phishing expieditiions involve creating an illusion of legitimacy, and this is no different. Many times an audio recording is included that sounds like a genuine voicemail.
Once directed to the phishing page, the target's email address is prepoulated and the users is asked to log in to their account.
“What sets this phishing campaign apart from others is the fact that it incorporates audio to create a sense of urgency which, in turn, prompts victims to access the malicious link,” said Devane and Pena. “This gives the attacker the upper hand in the social engineering side of this campaign.”
The McAfee analysts say three different phishing kits are being used in the attack. One is advertised on social media and is available through an ICQ channel, it is called “Voicemail Scmpage 2019”. The second kit is very similar but is called “Office 365 Information Hollar”. The third phishing kit does not have a name but has been observed before.
All three kits have the ability to take user information like passwords, address, and IPs when connected.
“All three look almost identical but we were able to differentiate them by looking at the generated HTML code and the parameters which were accepted by the PHP script.”