In an interesting twist on traditional phishing campaigns, hackers are using fake voicemails in an effort to trick users into handing over their Office 365 credentials.

First spotted and publicized Wednesday by security researchers at McAfee LLC, the phishing campaign starts with targets, usually mid- or high-level managers, receiving a legitimate-looking email saying that they have received a voice message. The email includes information such as caller ID, date, call duration, organization name and a reference number making the email look even more legitimate.

Users are then encouraged to click on an attachment to take the victim to a phishing site that tells them that Microsoft is fetching the email and to log in to access it. The surprise twist is that at this point, the phishing site plays a short audio recording of the alleged voicemail that sounds like a legitimate voicemail as a way to trick users to attempt to log in.

“What sets this phishing campaign apart from others is the fact that it incorporates audio to create a sense of urgency which, in turn, prompts victims to access the malicious link,” the researchers wrote. “This gives the attacker the upper hand in the social engineering side of this campaign.”

The researchers further found that those behind the phishing campaign were using three different kits that can be purchased on the dark web, a shady part of the internet reachable with special software. Those targeted in the campaign ranged across 15 industries, with targets in service, financial, IT services and retail leading the list.

“In light of the discovered Office 365 phishing attacks that are targeting enterprise executives, it is critical for organizations to address human error so that employees are prepared to thwart these attacks,”  Michael Madon, senior vice president and general manager of security awareness at email cloud security firm Mimecast Services Ltd., told SiliconANGLE today. “It is not a matter of if, but when, businesses will be hit.”

These business email compromise attacks are on the rise, especially those accompanied by deepfake audio, which uses AI to trick companies into negative action such as sending money to a fraudulent account, Madon explained.

“To prevent becoming the next victim, organizations should implement employee training programs so that when their email systems are targeted by fake voicemail inbounds, they are prepared,” he advised. “Employees should be hyper-aware of the potential risks of audio attachments from illegitimate domains, alerting security departments and avoiding clicking on links when received.”

Photo: thebetterday4u/Flickr