This file contains two links to either “Accept voice message” or “Listen to voice message.” Clicking on either option will send the victim to a spoofed Microsoft OneDrive login page, where their credentials will be harvested.
After this, however, the victim is sent to the website selling voice-to-email messaging services, so the attacker is apparently trying to make extra money off of commissions by driving traffic to this site. My Online Security also notes that there are other fake login pages on the phishing site, including one that spoofs Chase Bank, so the campaign isn’t limited to targeting OneDrive credentials.
“We all get very blasé about phishing and think we know so much that we will never fall for a phishing attempt,” says My Online Security. “Don’t assume that all attempts are obvious. Watch for any site that invites you to enter ANY personal or financial information. It might be an email that says ‘you have won a prize’ or ‘sign up to this website for discounts, prizes and special offers.’ … All of these emails use social engineering tricks to persuade you to open the attachments that come with the email.”
Phishing attacks are constantly changing, but their foundations remain the same. This one is unusual in that it offers a novel sort of alert for a familiar bit of functionality--voicemail--that we’re predisposed to use. New-school security awareness training can help your employees recognize this behavior by teaching them to be on the lookout for social engineering tactics.