Criminals are targeting people in US military and tech organizations with so-called "vishing", where supposed links to voicemail dupe victims into revealing credentials for Microsoft Office 365 software and Outlook email accounts.
According to US security firm Zscaler, there has been a resurgence in vishing since May that's targeting employees in software security, US military, security solution providers, healthcare and pharmaceutical, and the manufacturing supply chain.
Attackers are sending email with voicemail notifications that advise them of a missed voicemail that prompts them to open an attachment from the web.
Many people don't check voicemail, but voice messages on WhatsApp and LinkedIn have been a thing for several years, so it can be an effective way to trick users into clicking a link in an email.
Of course, there is no actual voicemail after clicking the link, which instead leads the target to a credential phishing web page hosted on servers located in Japan.
The attack even uses a CAPTCHA as part of the ruse. The same technique was used in a campaign Zscaler observed in 2020.
While solving a CAPTCHA test usually leads to a site the user intended to visit, this one leads to the phishing page.
"Once the user solves the Captcha successfully, they will be redirected to the final credential phishing page which attempts to steal the Office 365 credentials of the user," notes Singh.
Voicemail phishing works because victims still tend to click on email attachments.
"Voicemail-themed phishing campaigns continue to be a successful social engineering technique for attackers since they are able to lure the victims to open the email attachments. This combined with the usage of evasion tactics to bypass automated URL analysis solutions helps the threat actor achieve better success in stealing the users' credentials," says Singh.