This Phishing Scam Threatens to Hijack Microsoft 365 Accounts Using Fake Voicemails

Microsoft 365 had over 155 million business users in 2018, and with its popularity continuously growing, it is no wonder that hackers find it worth their while to attack users of such services. According to specialists from McAfee Labs who discovered a phishing scam targeted at Microsoft 365 users, hackers seem to be using fake voicemail messages to trick their victims into revealing their Microsoft 365 accounts’ login credentials. It is not the first time that cybercriminals employ voicemail services to attack users. Not so long ago, hackers tried to take over the accounts of WhatsApp users who used default passwords for their voicemail services. This time the scenario is a bit different as hackers do not need to access your voicemail. If you read our full article, you can learn more about how this scam works and how to secure Microsoft 365 account to make sure that cybercriminals would have a hard time hacking it.

How does the voicemail scam work?

A user that is being targeted should receive a phishing email that ought to say he has missed a phone call from a particular phone number. The email might not seem suspicious at all if you do not review the message carefully. It should contain the Microsoft logo as well as information about a missed call. What might seem odd is that the email may contain a note saying: “This is an automated message and need immediate attention please do not reply.” It not only has grammatical mistakes but also urges a user to do something, which should always raise a red flag. How can a system know that the message is important or that it needs your immediate attention?

If a user falls for the lie and opens the HTML file attached to the phishing email, he might get redirected to a phishing website. The text on the fake voicemail site ought to say: “Please wait while Microsoft fetch your voice message from server.” Soon enough, a victim might hear a part of a fake voicemail message recorded by the scammers. Of course, to listen to the full recording, users might be asked to log into their Microsoft 365 account. Therefore, the phishing website ought to redirect victims to a fake login website, which might use Microsoft’s design as well as the company’s logo. Consequently, users might think they are on a legitimate Microsoft 365 login site.

After a victim submits his Microsoft 365 login credentials, he ought to see a message claiming that he logged in successfully. Shortly after seeing it, a user ought to be redirected to the legitimate office.com website. Thus, it might take some time to realize that there was no voicemail message and that the submitted account’s login credentials got recorded by cybercriminals.

How to secure Microsoft 365 account?

Instead of panicking about the latest phishing scam, we advise learning how to secure Microsoft 365 accounts to continue using these services without a fear that your or your employees' accounts could get hacked. To do so, we recommend employing the tips listed below.

Enable Two-Factor Authentication

Two-Factor Authentication is a great way to add an extra security layer to any account. After enabling it, users should be asked to provide not only an account's login credentials but also a verification code received via email or phone. In such a case, even if cybercriminals find out an account’s username and password, they would still be unable to log in without providing the required code. However, keep in mind that like every other security measure Two-Factor Authentication cannot guarantee absolute protection, which is why it is smartest to take as many safety precautions as you can.

Set up strong passwords

Even if you enable Two-Factor Authentication, it does not mean you can use memorable and weak passwords. To ensure your Microsoft 365 account is secure as much as possible, we recommend setting up a strong password. Specialists recommend using at least 10-12 characters that should include both lower-case and upper-case letters, numbers, and symbols to create a secure passcode combination. If you do not think you can come up with such a password or you might be unable to memorize it, we advise employing a dedicated tool like Cyclonis Password Manager that could take care of this for you.

Secure administrative accounts

Administrative accounts of Microsoft 365 services might provide various privileges, and so cybercriminals might target them more often. Therefore, specialists recommend ensuring that such accounts are protected with unique passwords and Two-Factor authentication. Also, it is advisable to use such accounts only when necessary and to close unneeded browser tabs before accessing them.

Educate employees who use Microsoft 365 services

Even if you use multiple safety precautions to secure Microsoft 365 account, it might still be hacked due to human error. Companies that wish to prevent this from happening should educate their employees about cybersecurity and the latest cyber threats. For instance, to ensure that scam emails targeting Microsoft 365 users are spotted in time, your employees should be taught how to recognize phishing emails and websites. Also, employees should know all about the programs and services that they use in their work so they would know what to expect from them and what kind of behavior or requests from the software they use might be suspicious.

Overall, the latest scam targeted at Microsoft 365 users shows us that phishing emails should not be forgotten yet. Sadly, scrutinizing emails is still necessary for those of us who do not want to be scammed. Also, it is just as important to follow cybersecurity news to learn about such attacks in time. Hopefully, this blog post will assist in spreading awareness about this phishing scam as well as help users secure their Microsoft 365 accounts to protect them from getting hacked. For those, who may not have learned about these phishing emails in time and may have revealed their login credentials to cybercriminals, we advise using Microsoft’s provided guide.

By Foley
December 12, 2019
News
English
December 12, 2019
News

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Microsoft Warns State-Backed Threat Actors Are Using AI in...

4 days ago

Trojan Al11 Malware Detection & Removal - An Essential...

11 months ago

Pinaview is a Fully-Featured Adware App

10 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

7 months ago

What is Lucky Ransomware?

7 months ago

Related Posts

News

Schemers Employ a New Phishing Email to Collect Microsoft Passwords

Can you name the world's most lucrative type of cybercrime? Unfortunately, we can't definitively say whether or not your suggestion is correct. The world of online fraud is so vast and diverse that there simply is no... Read more

February 5, 2019
Password Security

Security Experts Warn About the Increasing Number of Office 365 Phishing Emails

How many emails do you send out every day? How many do you receive? These numbers vary from person to person, depending on their position, their social life online, their hobbies, and even their attitude towards... Read more

June 19, 2019
Password Security

Should You Enable or Disable 'Password Sync' on Microsoft Office 365?

If you are running a business, you probably get a headache the moment you hear the word “password.” It’s hard to keep with personal passwords, so dealing with multiple corporate passwords is a big challenge. To make... Read more

June 6, 2019
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.