Attackers are using an oft-used and still effective lure to steal credentials to key Microsoft apps by sending emails notifying potential victims that they have a voicemail message, researchers have found.
A team from Zscaler ThreatLabZ has been monitoring a campaign since May that targets key vertical industries in the United States with “malicious voicemail-notification-themed emails in an attempt to steal their Office365 and Outlook credentials,” researchers said in a blog post published recently. Both the emails and the credential-stealing page appear to be coming from legitimate entities, tactics that aim to dupe victims into falling for the ploy, they said.
In fact, Zscaler itself was one of the organizations targeted in the campaign, which researchers said is similar to one that ThreatLabZ discovered in July 2020. This gave ThreatLabZ particular insight into how the campaign works.
Other victims of the latest campaign include organizations in specific U.S. verticals, including software security, the military, security solution providers, healthcare and pharmaceutical, and the manufacturing supply chain, researchers said.
While the tactics in the campaign are far from novel, threat actors appear to be taking an “if it ain’t broke, don’t fix it” approach to stealing credentials as a way to access corporate networks, noted one security professional.
The sad fact is, they still work, and as long as that’s the case, attackers will still leverage them, Erich Kron, security awareness advocate with security firm KnowBe4, said in an email to Threatpost.
“While not a new approach, using voicemail notifications does continue to be very effective, as they tend to blend into the types of notifications that are part of our daily work,” he observed.
How the Attack Works
However, one aspect of the campaign that does set it apart from other similarly themed attacks is that it involves “more research and effort as the attacks are customized for each target,” he said.
Attackers aim to lure victims with an email that informs them that they have a new voicemail in a message that appears to be coming from the targeted organization, according to ThreatLabZ. They use an address in the “From” field that mimics the targeted organization’s name as well as logo branding on the mail itself to appear legitimate.
The messages include an HTML attachment that, if opened, redirects the user to a credential-phishing site that also appears to be the real deal by mimicking Microsoft’s own log-in page.
Further, attackers use a consistent format for the URLs used in the redirect process “which included the name of the targeted organization as well as the email address of the targeted individual,” researchers observed.
“For instance, when an individual in Zscaler was targeted, the URL used the following format: zscaler.zscaler.briccorp[.]com/<base64_encoded_email>,” they wrote in the post.
The credential-phishing site even uses Google’s reCAPTCHA technique—requiring targets to prove they are “not a robot” by identifying objects in photos–to lend more credibility to the experience. This previously used tactic also helps attackers ” evade automated URL analysis tools,” a tactic also used in the July 2020 campaign, according to ThreatLabZ.
If a victim follows through on the CAPTCHA, he or she is then redirected to legitimate-looking Microsoft Office 365 sign-in page to enter credentials on a site controlled by attackers, according to the post. Analysis conducted by ThreatLabZ on the email headers used in the campaign shows that threat actors used email servers located in Japan to stage attacks, researchers said.
Avoiding Credential Theft
As the campaign remains active, both ThreatLabZ and KnowBe4’s Kron recommend that organizations reiterate secure email practices with their employees to ensure that they’re not giving up their credentials to attackers.
As an extra precaution, users should not open attachments in emails sent from untrusted or unknown sources, researchers noted. Moreover, as a best practice, in general, users should verify the URL in the address bar of the browser before entering any credentials, they said.
Indeed, organizations should train employees on how to spot and report phishing attacks, as well as how to check the browser’s URL bar to ensure the website where they are entering credentials is legitimate, Kron said.
They also can use multi-factor authentication so even if employees do give up credentials, there is an extra safeguard to keep attackers off the corporate network, he added.