Login into account in email envelope and fishing hook. Phishing scam, hacker attack and web security concept. online scam and steal. vector illustration in flat design
Image: Rogatnev/Adobe Stock

Email phishing campaigns are regularly hitting organizations in the U.S., but voicemail phishing is less common. A new report from Zscaler exposes a new attack scheme  begun in May 2022 that aims to collect valid credentials for Office 365 mailboxes.

It all starts with an email

In this attack campaign, an email is sent to selected targets. The email is a notification of a new voicemail, which can be listened to by opening an attachment file (Figure A).

Figure A

Image: Zscaler. Voicemail-themed phishing email containing an attached file.

The From field of the email is crafted. In Figure A, it mentions Zscaler because it has targeted an employee of the company.

The attachment file is an HTML file containing obfuscated JavaScript code which redirects the user to a URL controlled by the attackers. That URL follows a constant format containing the name of the targeted organization, as well as an encoded version of the email address of the targeted employee (Figure B).

Figure B

Image: Zscaler. URL format used in the attack campaign.

In case the encoded email address is missing at the end of the URL, the user is redirected to the Wikipedia page of Microsoft Office or to the Microsoft Office website.

This URL leads to a second URL which shows a captcha from Google reCaptcha to the user.

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

Once the user has entered the correct captcha information, they are shown the final content, which is an Office 365 phishing page (Figure C).

Figure C

Image: Zscaler. Office 365 phishing page prefilled with the email address from the target.


The researchers have collected URLs related to that phishing campaign in their telemetry and could determine who the targeted organizations are based on the URL. They indicate that targets for this phishing campaign are organizations in the U.S. military, security software developers, security service providers, healthcare and pharmaceutical providers, and supply-chain organizations in manufacturing and shipping.

The final goal of the attackers remains unknown. The cybercriminals may want to receive access to specific mailboxes from corporations or get an initial foothold to whole corporate networks to conduct more fraud or cyberespionage operations.

Not a new phishing scheme, but effective

Erich Kron, security awareness advocate with KnowBe4, commented:

“While not a new approach, using voicemail notifications does continue to be very effective, as they tend to blend into the types of notifications that are part of our daily work. Unlike many other phishing campaigns, this one does involve more research and effort as the attacks are customized for each target. The result of a successful attack, the theft of a username and password, can be well worth the additional effort, because of the access to the email account, plus the fact that people have a tendency to reuse passwords on other systems.

“To protect against this, employees should be trained on how to spot and report phishing attacks, and how to check the browser’s URL bar to ensure the website where they are entering credentials is legitimate. The use of multi-factor authentication can be very helpful in these cases as well.”

How to protect yourself from targeted voicemail phishing

Comprehensive email security solutions should be used to detect, block and alert for such content. An email containing an HTML file consisting of obfuscated JavaScript should immediately raise an alert.

Multi-factor authentication also needs to be set for every service or website that is Internet-facing. This way, should an attacker manage to obtain a valid login and password, he still would not be able to connect to the service with proper MFA deployed. This is particularly important for VPN access and webmail services, which are the most targeted Internet-facing services.

Systems and software should also always be kept up to date and patched, to prevent from falling to common vulnerabilities used by attackers to get an initial foothold on targeted companies.

Employee awareness should also be raised on phishing and fraud. Users also need to have an easy way to report suspicious emails to their IT department for analysis.

Disclosure: I work for Trend Micro, but the views expressed in this article are mine.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays