A new phishing campaign targeting the U.S. military, security software, manufacturing supply chain, healthcare and pharmaceutical sectors has been stealing Microsoft Office 365 and Outlook credentials.

The threat actor behind this operation uses fake voicemail notifications to lure victims into opening a malicious HTML attachment.

As per researchers at cloud security firm ZScaler, this newly discovered campaign shares tactics, techniques, and procedures (TTPs) with a similar operation that came out in mid-2020.

The cybercriminals use Japanese email services to route their messages and spoof the sender’s address, making them appear legitimate.

The email has an HTML attachment that is named with a music note character to make it seem as if the file is a sound clip. In reality, the file contains obfuscated JavaScript code that leads the victim to a phishing site.

The redirection process initially leads the victim to a CAPTCHA check, which increases the illusion of legitimacy for the victims. Once the user finishes this step, they are redirected to a legitimate-looking phishing page that steals Microsoft Office 365 credentials.

Vigilant users would notice that the domain of the login page is not from Microsoft nor their organization’s and is one of the following:

  • briccorp[.]com
  • bajafulfillrnent[.]com
  • bpirninerals[.]com
  • lovitafood-tw[.]com
  • dorrngroup[.]com
  • lacotechs[.]com
  • brenthavenhg[.]com
  • spasfetech[.]com
  • mordematx[.]com
  • antarnex[.]com

Hence, users should always check and confirm that they are on a real login portal and not a phony one before they begin to enter their credentials

Voicemail-themed phishing via HTML attachments has been used since 2019, but it still manages to victimize careless users.