Microsoft 365 and Outlook customers in the US are in the crosshairs of a successful credential-stealing campaign that uses voicemail-themed emails as phishing lures. The flood of malicious emails anchoring the threat is emblematic of the larger problem of securing Microsoft 365 environments, researchers say.

According to an analysis from Zscaler's ThreatLabz, a highly targeted offensive has been ongoing since May, aiming at specific verticals, including software security, the US military, security-solution providers, healthcare/pharmaceuticals, and the manufacturing supply chain.

The campaign has been successful in compromising swaths of credentials, which can be used for a variety of cybercrime endgames. These include taking over accounts in order to access documents and steal information, eavesdropping on correspondence, sending believable business email compromise (BEC) emails, implanting malware, and burrowing deeper into corporate networks. The user ID/password combos can also be added to credential-stuffing lists in hopes that victims have made the mistake of reusing passwords for other types of accounts (such as online banking).

"Microsoft 365 accounts are often a treasure trove of data, which can be downloaded en masse," says Robin Bell, CISO of Egress. "Furthermore, hackers can use compromised Microsoft 365 accounts to send phishing emails to the victim’s contacts, maximizing the effectiveness of their attacks.”

Voicemail Phishing Attack Chain

From a technical perspective, the attacks follow a classic phishing flow — with a couple of quirks that make them more successful.

The attacks start out with purported missed-voicemail notifications being sent via email, which contain HTML attachments.

HTML attachments often get past email gateway filters because they aren't in and of themselves malicious. They also don't tend to raise red flags for users in a voicemail notification setting, since that's how legitimate Office notifications are sent. And for added verisimilitude, the "From" fields in the emails are crafted specifically to align with the targeted organization's name, according to a recent Zscaler blog post.

If a target clicks on the attachment, JavaScript code will redirect the victim to an attacker-controlled credential-harvesting website. Each of these URLs are custom-created to match the targeted company, according to the researchers.

"For instance, when an individual in Zscaler was targeted, the URL used the following format: zscaler.zscaler.briccorp[.]com/<base64_encoded_email>," they noted in the blog post, which detailed the attacks. "It is important to note that if the URL does not contain the base64-encoded email at the end; it instead redirects the user to the Wikipedia page of MS Office or to office.com."

Before the mark can access the page however, a Google reCAPTCHA check pops up — an increasingly popular technique for evading automated URL analysis tools.

CAPTCHAs are familiar to most Internet users as the challenges that are used to confirm that they're human. The Turing test-ish puzzles usually involve clicking all photos in a grid that contain a certain object, or typing in a word presented as blurred or distorted text. The idea is to weed out bots on e-commerce and online account sites — and they serve the same purpose for crooks.

Once the targets solve the CAPTCHAs successfully, they're sent onto the phishing page, where they're asked to enter their Microsoft 365 credentials — which, of course, are promptly captured by the bad guys on the other end of the URL.

"When faced with a login prompt that looks like a typical O365 login, the person is likely to feel comfortable entering their information without looking at the browser's URL bar to ensure they are at the real login website," Erich Kron, security awareness advocate with KnowBe4, tells Dark Reading. "This familiarity, and the high odds that an intended victim regularly uses O365 for something in their workday, makes this a great lure for attackers."

Using voicemail as a lure isn't a new technique — but it's a successful one. The current campaign is actually a resurgence of earlier activity seen in July 2020, the researchers noted, given significant overlap in the tactics, techniques, and procedures (TTPs) between the two phishing waves.

"These attacks target human nature, manipulating their victims using techniques that play on our psychology," Egress' Bell tells Dark Reading. "That's why, despite investing in security awareness training, many organizations still fall victim to phishing. In addition to this, threat actors are crafting increasingly sophisticated, highly convincing attacks that many people simply can’t distinguish from the 'real thing.' This is exacerbated by the increasing use of mobile devices, as users often can’t see details like the sender’s real information."

Microsoft 365 Continues to Be a Popular Target

The cloud version of Microsoft's productivity suite, formerly known as Office365 or O365 and renamed Microsoft 365 by the company, is used by more than 1 million companies and more than 250 million users. As such, it acts as a siren song to cybercrooks.

According to a 2022 Egress report, "Fighting Phishing: The IT Leader’s View," 85% of organizations using Microsoft 365 reported being victims of phishing during the last 12 months, with 40% of organizations falling victim to credential theft.

"Microsoft O365 and Outlook are used by an estimated 1 million companies, so there’s a good chance that their victim, and the victim's organization, use these services," Bell says. "With such a high volume of accounts, the hackers have a better chance of reaching targets with a low level of tech awareness, who are more likely to fall for an attack."

Microsoft 365 phishes also are popular attack vectors because the blend in with normal workday activities, Kron notes.

"We spend a lot of our workday in a near autopilot mode, doing repeated tasks almost automatically, as long as the tasks are expected," he explains. "It’s only when something unexpected occurs that people tend to take notice and apply critical thinking. For many of us, the action of logging in to an O365 portal is not unusual enough to raise our suspicions. Many times, when people log in to these fake portals, the credential stealing software invisibly forwards the information to the legitimate login portal resulting in a successful login, and the victim is never aware that they were tricked.”

How CISOs Can Defend Against Social Engineering

There are significant challenges for CISOs in shutting down this type of threat vector, researchers say, mainly due to the fact that it's impossible to patch human nature. That said, user training to encourage employees to perform basic protections, like checking the URL before logging in, can go a long way.

"We have to face the fact that social-engineering attacks, which include phishing, vishing, and smishing, are here to stay," says Kron. "Phishing has been prevalent almost since email began, and the damage done and losses sustained are simply too high to ignore, while hoping for the best. CISOs need to understand these risks, and employees need to understand that in our modern world where everyone uses computers and processes information in some way, cybersecurity is a part of everyone’s job, and will be for the foreseeable future.”

Beyond this basic best practice, CISOs should also take back-end technology steps to fill in for when people make mistakes, as they inevitably will. And this should go beyond standard secure email gateway filters, according to Bell.

"To truly mitigate the risk, organizations need the right technology," he advises. "CISOs need to evaluate their security stack, ensuring that they are augmenting their email platforms with additional layers of protection to ensure that their people and data are protected. Technology should partner with employees to help them to identify even the most sophisticated attacks, ensuring that credentials and email accounts cannot be compromised by threat actors.”

Kron recommends a commonsense defense approach that combines both technology and training.

"For CISOs that do not recognize this and attempt to counter these attacks with purely technical tools, the odds of success are quite low," he says. "For CISOs that understand that these attacks are exploiting human vulnerabilities and deploy a mix of technical controls as well as tackling the human issue through education and training, the results are often much better."