Researchers at Zscaler warn that a spear phishing campaign is targeting the US military and other sectors with phishing emails that purport to be voicemail notifications. The emails contain links to a phishing page designed to harvest Microsoft Office 365 credentials.
“The email theme is focused on a voicemail notification that tells the victim they have a missed voicemail, prompting the user to open the HTML attachment,” Zscaler says. “This social engineering technique has worked successfully for the threat actor in previous campaigns. The ‘From’ field of the email was crafted specifically to align with the targeted organization's name.”
The campaign is targeting a variety of sectors, including the US military and security software developers.
“Since the format of the URL gives away critical information about the target, we used that information from our collected telemetry to enumerate the list of targeted organizations and individuals,” the researchers write. “Based on analysis of this telemetry, we can conclude with a high confidence level that the targets chosen by the threat actor are organizations in the US military, security software developers, security service providers, healthcare / pharmaceutical and supply-chain organizations in manufacturing and shipping. It is important to note that if the URL does not contain the base64-encoded email at the end; it instead redirects the user to the Wikipedia page of MS Office or to office.com.”
The researchers note that the attackers have taken measures to avoid cybersecurity technologies in place.
“Voicemail-themed phishing campaigns continue to be a successful social engineering technique for attackers since they are able to lure the victims to open the email attachments,” Zscaler says. “This combined with the usage of evasion tactics to bypass automated URL analysis solutions helps the threat actor achieve better success in stealing the users' credentials. As an extra precaution, users should not open attachments in emails sent from untrusted or unknown sources. As a best practice, in general, users should verify the URL in the address bar of the browser before entering any credentials.”
New-school security awareness training can teach your employees to follow security best practices so they can avoid falling for targeted social engineering attacks.
Zscaler has the story.
Here's how it works:
