A phishing campaign is using voicemail notification messages to go after victims' Office 365 credentials.
Email spoofing basically comes down to sending emails with a false sender address. This can be used in various ways by attackers. Obviously pretending to be someone else can have its advantages especially if that someone else holds a position of power or trust with regards to the receiver.
In this campaign the threat actors use a name in the "From" field of the email aligned with the targeted organization's name. An internal mail is more likely to be trusted by the receiver. Analysis of the email headers shows that the attacker leveraged email servers located in Japan.
The final credential phishing page attempts to steal the Office 365 credentials of the users by presenting them with a fake login screen. The redirection URL includes the target’s email address in base64 encoded, likely so the attackers will be able to match the victim and their login credentials.
The researchers found the campaign targeting organizations in the US military, security software developers and providers, healthcare and pharmaceutical, and supply-chain organizations in manufacturing and shipping.
How to avoid being phished
- Do not open unverified email attachments. If someone you know sends you an attachment you're not expecting, check it is really them via another contact method.
- Do not enter your credentials before checking the actual URL of the site.
- If you use a password manager that autofills your login details, it will not enter your credentials on a phishing site because it will have a different URL. This is a really handy giveaway that something is up.
- Enable 2-factor authentication (2FA). If you hand over your password to a phishing page, the phisher can’t do much with it while you’re protected with 2FA. This isn't foolproof though, as some phishing sites will also try to steal your 2FA codes.
Stay safe, everyone!