{"id":19404,"date":"2022-06-22T02:10:03","date_gmt":"2022-06-22T10:10:03","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/06\/22\/news-13137\/"},"modified":"2022-06-22T02:10:03","modified_gmt":"2022-06-22T10:10:03","slug":"news-13137","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2022\/06\/22\/news-13137\/","title":{"rendered":"Watch out for the email that says “You have a new voicemail!”"},"content":{"rendered":"

Credit to Author: Pieter Arntz| Date: Wed, 22 Jun 2022 09:24:27 +0000<\/strong><\/p>\n

A phishing campaign is using voicemail notification messages to go after victims’ Office 365 credentials.<\/p>\n

According to researchers at ZScaler<\/a>, the campaign uses spoofed emails with an HTML attachment that contains encoded javascript.<\/p>\n

The email claims that you have a new voicemail and that you can listen to the message by clicking on the attachment. To add credibility, the name of the attachment starts with a music note character like f.e. \u266b to make it look like a sound clip. In reality, it is an HTML file with obfuscated javascript embedded.<\/p>\n

The javascript uses the windows.location.replace <\/strong>method<\/a> <\/strong>to redirect the target to a specially crafted phishing page. The access to the page is behind a reCAPTCHA, probably to keep out the bots, particularly any automated URL analysis tools.<\/p>\n

Spoofed email<\/h2>\n

Email spoofing basically comes down to sending emails with a false sender address. This can be used in various ways by attackers. Obviously pretending to be someone else can have its advantages especially if that someone else holds a position of power or trust with regards to the receiver.<\/p>\n

In this campaign the threat actors use a name in the “From” field of the email aligned with the targeted organization’s name. An internal mail is more likely to be trusted by the receiver. Analysis of the email headers shows that the attacker leveraged email servers located in Japan.<\/p>\n

Targets<\/h2>\n

The final credential phishing page attempts to steal the Office 365 credentials of the users by presenting them with a fake login screen. The redirection URL includes the target\u2019s email address in base64 encoded, likely so the attackers will be able to match the victim and their login credentials.<\/p>\n

The researchers found the campaign targeting organizations in the US military, security software developers and providers, healthcare and pharmaceutical, and supply-chain organizations in manufacturing and shipping.<\/p>\n

How to avoid being phished<\/h2>\n