How to Protect Yourself From New Office 365 Voicemail Phishing Scams

Nowadays, there’s hardly a useful online service or platform that malicious actors have not tried to exploit for scamming purposes — case in point – the wave of Office 365 voicemail scams.

Office 365 is a handy platform, providing its users the opportunity to employ traditional MS Office applications such as Word, Excel, PowerPoint, etc. It is a polished service, very convenient and well put together – which is why it is quite popular among businesses and working professionals. This popularity is presumably why it has been used as a bait for malicious attacks by hackers.

In this particular case, the hackers used Office 365’s popularity good standing with the general user to launch a rather efficient phishing campaign. Users and IT security specialist reports documented suspicious emails that purported to originate from Office 365, but were in fact fake. The emails claimed that the user had missed a phone call and helpfully provided a link to what appeared to be a voicemail file. This link, however, does not take the user anywhere remotely safe – if clicked, one ends up on a fake page asking them to log in to Office 365. Once the user does so, the page grabs the information the user was so helpful to just provide and sends it to the phishing attack’s author, while the user is re-directed to the actual Office 365.

While not full proof, the system is rather well thought out and polished, as far as phishing attacks go. According to IT specialists that researched this particular campaign of malicious attacks, three different phishing kits were used to conduct the Office 365 voicemail scams - namely Voicemail Scmpage 2019, Office 365 Information Hollar, and another, yet unnamed one. These kits allowed the malicious actors to phish for various credentials of tricked users, such as email and password, but also IP Address and Location.

Now, someone who’s in the know about IT security would probably never fall victim to such an attack. Observing basic diligence and vigilance is enough to protect a user from such attempts – and if one knows what to look for, keeping yourself safe from similar attempts on your safety becomes trivial. Here’s what you need to do in order to stay safe:

How to Protect Yourself From the new Office 365 Voicemail Phishing Scam

  1. Always be suspicious of unsolicited emails. If you don’t know an emails source, you should proceed with caution with regard to it, even though it may at first glance appear legitimate or important.
  2. Always check the source of the email. Scammers may be good, but they have their limitations, and one of the things they can’t do is send an email from the official mail address of the company they are impersonating. A suspicious source for an email is a dead giveaway that it’s a hoax.
  3. Be wary of suspicious attachments. This is another glaring red flag – obfuscated links, or those that do not lead directly to the main page of the entity that has apparently sent you the email are probably the hook of a cyber-attack.
  4. Use common sense. Most companies are not in the habit of sending unsolicited emails to their users. Think about the context of what you’re being fed – why would Office 365, of all people, have a voicemail for you? That doesn’t really make much sense when you think about it. And why would you need to re-enter your account details? Additionally, while some malicious actors may try to bait victims with sophisticated-looking emails, there are limitations to how much they can polish that bait. As a result, their emails stick like a sore thumb for their generic “dear user” or “dear customer” beginning. Remember, the company in question already has your account information – the company in question would have used the name you’ve given them in their correspondence.
December 12, 2019

Leave a Reply