Researchers at Zscaler warn of an increase in voicemail-themed phishing campaigns designed to steal credentials for enterprise applications. The emails purport to be automatically generated notifications from enterprise applications, like Office 365 and Outlook, informing recipients that they’ve received a voicemail from a caller. The messages include an HTML attachment that will redirect the user to the phishing site, where they’ll be asked to enter their credentials in order to log in and hear the message.
Interestingly, Zscaler found that one of these campaigns used Google’s reCAPTCHA to prevent web crawlers from accessing the site and flagging the site as malicious.
The researchers also observed a campaign that spoofed Cisco’s Unity Connection voicemail portal using the domain “secure[.]ciscovoicemail[.]cf.“ When the user clicks to listen to their voicemail, they’ll be taken to a page that asks them to select their email provider from a list of options: Office 365, Mimecast, Outlook, Gmail, Yahoo, and “Others.” Clicking on any of these options would take the user to a phishing page that spoofed the login page of the service they selected. Choosing “Others” would present the user with a generic login portal.
Zscaler concludes that users should follow security best practices in order to avoid falling for these attacks.
“This threat actor leverages well-crafted social engineering techniques and combines them with evasion tactics designed to bypass automated URL analysis solutions to achieve better success in reaching users and stealing their credentials,” the researchers write. “As an extra precaution, users should not open attachments in emails sent from untrusted or unknown sources. As a best practice, in general, users should verify the URL in the address bar of the browser before entering any credentials.”
It’s also worth noting that voicemail-themed phishing campaigns aren’t new, but the fact that they’re growing more common means this tactic is still effective. If a user knows that attackers frequently use fake voicemail notifications as phishbait, they can recognize these attacks immediately. New-school security awareness training can help your employees stay up-to-date with evolving phishing trends, as well as teaching them about the fundamentals of social engineering.
Zscaler has the story.