Office 365 Users Receive Phishing Emails That Alert About Allegedly Missed Voicemail

A message claiming that you have a missed voicemail could be intriguing, and you may want to check it out immediately, but there is a reason why you should not rush into it. Cybersecurity specialists warn about an increasing amount of Office 365 phishing campaigns. The latest one is a voicemail attack. Scammers behind it send their targeted victims messages via email that say they have a missed voicemail message that they can listen to or download by clicking a provided button. Unfortunately, the button takes users to a fake website that looks like a legit website and asks for sensitive information. If you do not want to get tricked into revealing your sensitive data, we advise reading our full blog post to learn how this voicemail attack works and how to protect yourself against it. Naturally, if you have any questions about the scam, we encourage you to use our comments section.

What should you know about the latest Office 365 phishing campaign?

Cybersecurity specialists at Check Point Research say that victims targeted by the voicemail attack receive emails that say they have missed voice messages. These emails also contain a button that, if clicked, leads to a website that looks exactly like the Office 365 sign-in page. If a user types in his login name and password, the information gets recorded and ends up in the hands of cybercriminals.

Researchers say that normally the link to the fake sign-in page would get detected by email providers' anti-phishing tools. However, scammers behind the voicemail attacks seem to be using legit domains to make it seem like the link in the email will redirect a user to a legit website. Unfortunately, the phishing email's link performs two redirections: first to some legit domain and then to the fake Office 365 sign-in page. What’s more, scammers behind these voicemail attacks also managed to trick anti-phishing tools by sending their phishing messages from the email server belonging to the University of Oxford. Thus, they made it look like the scam email came from a reputable sender and contained a link to a legit website.

How to guard yourself against the Office 365 voicemail attacks?

This Office 365 phishing campaign might be able to trick your email provider's anti-phishing tools, but it might not be able to deceive you if you take a few extra precautions.

First, you should be cautious whenever you receive links that lead to sign-in pages. Creating an exact copy of a reputable website's login-page or homepage is not rocket science. Thus, even if you receive a link to a sign-in page that appears to be legit, we advise visiting the site independently. Meaning, if you are familiar with the website and know its URL address, you should type it into your browser’s address bar instead of using the link that you received via email. If you do not know the correct URL address, you can look it up on the Internet. Just be cautious while doing so. Always make sure that the websites you visit are using HTTPS and not HTTP and that there is an image of a locked padlock near the website’s URL address in the browser’s address bar.

Next, you should ensure that your account will be safe even if you make a mistake. To do so, we advise enabling Two-Factor Authentication for your Office 365 account. If it is enabled, hackers should not access your account just with the login credentials alone. This should also give you time to change your compromised password, which you should do even if you use Two-Factor Authentication since this feature is not invincible and could be bypassed. It is best if you change your old password with an entirely new combination. In other words, the old and new passwords should not share any similarities. Also, specialists recommend thinking of a combination from at least 10 to 12 characters that should include not only lower-case and upper-case letters but also symbols and numbers. If you do not think you could come up with such a complex combination yourself and memorize it, we recommend employing a dedicated password manager like Cyclonis Password Manager that generates unique and strong passwords and also keeps them safe in an encrypted vault.

Furthermore, if you want to avoid falling victim to a phishing scam or any cyber attack, you must keep your software up to date and use antimalware tools. As for organizations that use Office 365 services or other popular tools, we recommend educating their employees about phishing scams so they would know how to recognize them. Not to mention, employees need to know what to do if they get tricked by hackers because if they take the required precautions, they might remove or at least lessen the possible consequences. A successful phishing attack could allow hackers to breach a company’s system and, for example, access sensitive information of its clients, partners, and other sensitive data. Thus, companies should always be prepared for such incidents. Besides educating employees, we recommend employing security tools to detect malicious content in emails and antimalware tools that would guard the company’s computers against malware.

All in all, using popular tools and services like Office 365 is always risky because hackers are drawn to large numbers of users. Of course, this should not stop you from using your favorite software and services. Instead, you should learn how to protect yourself and what kind of attacks you should expect.