Microsoft 365 and Outlook customers in the United States are at the crossroads of a successful credential theft campaign that uses voicemail-themed emails as phishing lures. The flow of malicious emails anchoring the threat is emblematic of the bigger problem of securing Microsoft 365 environments, researchers say.
According to an analysis by Zscaler’s ThreatLabz, a highly targeted offensive has been under way since May, targeting specific verticals, including software security, the US military, security solutions providers, healthcare / pharmaceutical products and the manufacturing supply chain.
The campaign has been successful in compromising rows of credentials that can be used for a range of cybercrime endgame games. These include taking over accounts to access documents and stealing information, eavesdropping on correspondence, sending trustworthy business email compromise (BEC) emails, implanting malware and digging deeper into the corporate network. The user ID / password combinations can also be added to lists of credentials in the hope that the victims have made the mistake of reusing passwords for other types of accounts (such as online banking).
“Microsoft 365 accounts are often a treasure trove of data that can be downloaded en masse,” says Robin Bell, CISO at Egress. “Furthermore, hackers can use compromised Microsoft 365 accounts to send phishing emails to the victim’s contacts, maximizing the effectiveness of their attacks.”
Voicemail Phishing Attack Chain
From a technical perspective, the attacks follow a classic phishing flow – with a few quirks that make them more successful.
The attacks start with alleged unanswered voicemail messages sent via email containing HTML attachments.
HTML attachments often get past email gateway filters because they are not malicious in themselves. They also do not tend to raise red flags for users in a voicemail notification setting, as this is how legitimate Office notifications are sent. And to increase the likelihood, the “From” fields in emails are designed specifically to match the name of the targeted organization, according to a recent Zscaler blog post.
“For example, when a person in Zscaler was targeted, the URL used the following format: zscaler.zscaler.briccorp[.]com /
But before the brand can access the site, a Google reCAPTCHA check appears – an increasingly popular technique for bypassing automated URL analysis tools.
CAPTCHAs are well known to most Internet users as the challenges used to confirm that they are human. Turing test-ish puzzles usually involve clicking on all images in a grid that contains a specific object, or entering a word that is presented as blurred or distorted text. The idea is to weed out bots on e-commerce and online account sites – and they serve the same purpose for crooks.
Once the targets have successfully solved the CAPTCHAs, they are sent to the phishing page, where they are asked to enter their Microsoft 365 credentials – which, of course, are immediately caught by the bad guys at the other end of the URL.
“When the person is faced with a login prompt that resembles a typical O365 login, the person is likely to feel comfortable entering their information without looking at the browser’s URL bar to make sure they are on the correct login website, “Erich Kron, security awareness lawyer with KnowBe4, tells Dark Reading. “This confidentiality and the high odds that an intended victim regularly uses O365 for something in their work day make this a good lure for attackers.”
Using voicemail as a lure is not a new technique – but it is a success. The current campaign is in fact a resurgence of previous activity seen in July 2020, the researchers noted, given significant overlap in tactics, techniques and procedures (TTPs) between the two phishing waves.
“These attacks target human nature and manipulate their victims using techniques that play on our psychology,” Egress’ Bell told Dark Reading. That’s why, despite investing in security awareness training, many organizations are still falling victim to phishing. In addition to this, threatening actors are making more and more sophisticated, very compelling attacks that many people simply cannot distinguish from the ‘real thing’. “This is exacerbated by the increasing use of mobile devices, as users often cannot see details like the sender’s real information.”
Microsoft 365 continues to be a popular target
The cloud version of Microsoft’s productivity suite, formerly known as Office365 or O365 and renamed Microsoft 365 by the company, is used by more than 1 million companies and more than 250 million users. As such, it acts as a siren song for cybercriminals.
According to a 2022 Egress report, “Fighting Phishing: The IT Leader’s View”, 85% of organizations using Microsoft 365 reported being victims of phishing in the last 12 months, with 40% of organizations becoming victims of identity theft.
“Microsoft O365 and Outlook are used by an estimated 1 million companies, so there’s a good chance that their victim, and the victim’s organization, are using these services,” Bell said. “With such a large number of accounts, hackers have a better chance of reaching targets with a low level of technical awareness that are more likely to fall for an attack.”
Microsoft 365 phishes are also popular attack vectors because they merge with normal everyday activities, Kron notes.
“We spend much of our working day in an almost autopilot mode, where we perform repetitive tasks almost automatically for as long as the tasks are expected,” he explains. “It is only when something unexpected occurs that people tend to notice and apply critical thinking. For many of us, the act of logging in to an O365 portal is not unusual enough to arouse our suspicion. Many “Sometimes, when people log in to these fake portals, the software for stealing credentials invisibly forwards the information to the legitimate login portal, resulting in a successful login, and the victim is never aware that they were tricked.”
How CISOs can defend themselves against social engineering
There are significant challenges for CISOs in shutting down this type of threat vector, researchers say, mainly due to the fact that it is impossible to patch up human nature. That said, user training to encourage employees to perform basic protection, such as checking the URL before logging in, can go a long way.
“We have to face the fact that social media attacks, which include phishing, vishing and smishing, are here to stay,” Kron said. “Phishing has been widespread almost since email began, and the damage and losses are simply too high to ignore while hoping for the best. CISOs need to understand these risks, and employees need to understand it in our modern world, where everyone uses computers and processes information in one way or another, cybersecurity is part of everyone’s job and will be for the foreseeable future. “
In addition to this basic best practice, CISOs should also take back-end technological steps to fill in when people make mistakes that they inevitably want. And this should go beyond standard secure email gateway filters, according to Bell.
“To really reduce risk, organizations need the right technology,” she advises. “CISOs need to evaluate their security stack and ensure that they expand their email platforms with additional layers of protection to ensure their people and data are protected. Technology should work with employees to help them identify even the most sophisticated attacks and ensure that credentials and e-mail accounts can not be compromised by threatening actors. “
Kron recommends a sensible defensive approach that combines both technology and training.
“For CISOs that do not recognize this and try to counter these attacks with purely technical tools, the chances of success are quite low,” he says. “For CISOs who understand that these attacks exploit human vulnerabilities and implement a mix of technical controls as well as tackle the human problem through education and training, the results are often much better.”