This Phishing Scam Threatens to Hijack Microsoft 365 Accounts Using Fake Voicemails

Microsoft 365 had over 155 million business users in 2018, and with its popularity continuously growing, it is no wonder that hackers find it worth their while to attack users of such services. According to specialists from McAfee Labs who discovered a phishing scam targeted at Microsoft 365 users, hackers seem to be using fake voicemail messages to trick their victims into revealing their Microsoft 365 accounts’ login credentials. It is not the first time that cybercriminals employ voicemail services to attack users. Not so long ago, hackers tried to take over the accounts of WhatsApp users who used default passwords for their voicemail services. This time the scenario is a bit different as hackers do not need to access your voicemail. If you read our full article, you can learn more about how this scam works and how to secure Microsoft 365 account to make sure that cybercriminals would have a hard time hacking it.

How does the voicemail scam work?

A user that is being targeted should receive a phishing email that ought to say he has missed a phone call from a particular phone number. The email might not seem suspicious at all if you do not review the message carefully. It should contain the Microsoft logo as well as information about a missed call. What might seem odd is that the email may contain a note saying: “This is an automated message and need immediate attention please do not reply.” It not only has grammatical mistakes but also urges a user to do something, which should always raise a red flag. How can a system know that the message is important or that it needs your immediate attention?

If a user falls for the lie and opens the HTML file attached to the phishing email, he might get redirected to a phishing website. The text on the fake voicemail site ought to say: “Please wait while Microsoft fetch your voice message from server.” Soon enough, a victim might hear a part of a fake voicemail message recorded by the scammers. Of course, to listen to the full recording, users might be asked to log into their Microsoft 365 account. Therefore, the phishing website ought to redirect victims to a fake login website, which might use Microsoft’s design as well as the company’s logo. Consequently, users might think they are on a legitimate Microsoft 365 login site.

After a victim submits his Microsoft 365 login credentials, he ought to see a message claiming that he logged in successfully. Shortly after seeing it, a user ought to be redirected to the legitimate office.com website. Thus, it might take some time to realize that there was no voicemail message and that the submitted account’s login credentials got recorded by cybercriminals.

How to secure Microsoft 365 account?

Instead of panicking about the latest phishing scam, we advise learning how to secure Microsoft 365 accounts to continue using these services without a fear that your or your employees' accounts could get hacked. To do so, we recommend employing the tips listed below.

Enable Two-Factor Authentication

Two-Factor Authentication is a great way to add an extra security layer to any account. After enabling it, users should be asked to provide not only an account's login credentials but also a verification code received via email or phone. In such a case, even if cybercriminals find out an account’s username and password, they would still be unable to log in without providing the required code. However, keep in mind that like every other security measure Two-Factor Authentication cannot guarantee absolute protection, which is why it is smartest to take as many safety precautions as you can.

Set up strong passwords

Even if you enable Two-Factor Authentication, it does not mean you can use memorable and weak passwords. To ensure your Microsoft 365 account is secure as much as possible, we recommend setting up a strong password. Specialists recommend using at least 10-12 characters that should include both lower-case and upper-case letters, numbers, and symbols to create a secure passcode combination. If you do not think you can come up with such a password or you might be unable to memorize it, we advise employing a dedicated tool like Cyclonis Password Manager that could take care of this for you.

Secure administrative accounts

Administrative accounts of Microsoft 365 services might provide various privileges, and so cybercriminals might target them more often. Therefore, specialists recommend ensuring that such accounts are protected with unique passwords and Two-Factor authentication. Also, it is advisable to use such accounts only when necessary and to close unneeded browser tabs before accessing them.

Educate employees who use Microsoft 365 services

Even if you use multiple safety precautions to secure Microsoft 365 account, it might still be hacked due to human error. Companies that wish to prevent this from happening should educate their employees about cybersecurity and the latest cyber threats. For instance, to ensure that scam emails targeting Microsoft 365 users are spotted in time, your employees should be taught how to recognize phishing emails and websites. Also, employees should know all about the programs and services that they use in their work so they would know what to expect from them and what kind of behavior or requests from the software they use might be suspicious.

Overall, the latest scam targeted at Microsoft 365 users shows us that phishing emails should not be forgotten yet. Sadly, scrutinizing emails is still necessary for those of us who do not want to be scammed. Also, it is just as important to follow cybersecurity news to learn about such attacks in time. Hopefully, this blog post will assist in spreading awareness about this phishing scam as well as help users secure their Microsoft 365 accounts to protect them from getting hacked. For those, who may not have learned about these phishing emails in time and may have revealed their login credentials to cybercriminals, we advise using Microsoft’s provided guide.

December 12, 2019

Leave a Reply