back to article Voicemail phishing emails steal Microsoft credentials

Someone is trying to steal people's Microsoft 365 and Outlook credentials by sending them phishing emails disguised as voicemail notifications. This email campaign was detected in May and is ongoing, according to researchers at Zscaler's ThreatLabz, and is similar to phishing messages sent a couple of years ago. This latest …

  1. ShadowSystems

    I'm getting too old for this shit...

    Why the hell would a *voice mail message* include an *email attachment*? I figure the blending of VM & email must be a SmartPhone thing that you young whippersnappers have dreamed up in a drug-fogged brain-fart of epic proportions in the demented belief that it was hip & cool.

    A voice mail message is just that, an audio recording of a person's voice. It does not & should not include anything else, otherwise it is no longer something one person leaves for another, it becomes a form of MMS/SMS akin to a video message clip, text message with animated emoji, or other idiocy that only a "Gen Z'er" would think is useful/appropriate/cool. (Am I the only one that hears "Gen Z" & thinks "Zombies!"?)

    If there's an email attachment, then it's email not voice mail. If it has an address that immitates a valid sender in your contacts list, move it to the junk folder (if not already there) & warn your network security folks about it. If it has an attachment, especially if it's an HTML document, don't open it in your browser, use Notepad, Notepad++, or some other non-internet-connected text editor instead. View the source, ignore all the crap code, & focus on the content. If the server of said content is not inside the corporate network, don't visit that site. If there's JS embedded, don't enable it. If the content of the HTML file is just a "click here to read this" style command, don't click the link, forward it to your security folks, & save yourself a megaton of headache.

    *Wanders off muttering about the youf of today antheir newfangled doohickies*

    1. diodesign (Written by Reg staff) Silver badge

      Re: I'm getting too old for this shit...

      FWIW, as the article says, it's a bogus email saying you have a voicemail waiting for you, and you have to open the attached file to listen to it.

      Someone in a rush, or not aware of how these scams work, opens it, gets directed to a Microsoft 365 login page, thinks, 'fking computer, I already logged in', types in their password, and it's game over.


      1. Doctor Syntax Silver badge

        Re: I'm getting too old for this shit...

        I think the point is that if someone wants to end me a voicemail message the attachment should be a .wav or similar that I can play without logging in to anything (or, more likely, treat with utmost suspicion, report as phishing if it comes in to my hotmail address, and ignore).

        1. Anonymous Coward
          Anonymous Coward

          Re: I'm getting too old for this shit...

          > that I can play without logging in to anything

          In this day and age of tracking everything everywhere, don't bet on it. :(

          1. Doctor Syntax Silver badge

            Re: I'm getting too old for this shit...

            Hence treating it with utmost suspicion.

        2. kat_bg

          Re: I'm getting too old for this shit...

          You would be amazed how many people do not pay attention to the format of the files or have the extension hidden (on windows). This kind of attempt is for the most gullible of the users... Something like the purchase orders presented like and excel file with a link buried inside the file to a nefarious website.

      2. JimboSmith Silver badge

        Re: I'm getting too old for this shit...

        Another reason I don’t have and won’t ger voicemail.

      3. John Brown (no body) Silver badge

        Re: I'm getting too old for this shit...

        I think that was the OPs point though. Do people actual send voicemail messages in such a way that some service or other will then email you an attachment with the voicemail embedded or linked? Also a greybeard here, and it's something I've not seen or done. I either get emails or I get voice messages left on an answerphone[*]. The only real oddity I've come across is my wifes dotty old Aunt who has a habit of sending SMS to the landline so we get a phonecall from BT that then uses a robot voice in attempt to read the text message out over the phone.

        [*], Yes, I do live in the 21st century, I mean both traditional answerphone (built into the digital base station of the cordless phones) on the landline and "voicemail" on a mobile phone.

    2. Pascal Monett Silver badge

      Re: use Notepad

      <user mode>What's Notepad ?</user mode>

      I agree that checking is easy - when you know how a computer works.

      Now tell me, when you order a laptop online, when you buy a smartphone, when you go to a store to buy a computer, does the personnel on site ask you if you know how to use it ? Do they require that you watch a training video ?

      No, they don't.

      So you know what Notepad is and how to use it. Good for you.

      Unfortunately, I think that 99% of IT consumers don't, and have no idea of why it is important.

    3. Doctor Syntax Silver badge

      Re: I'm getting too old for this shit...

      Forget the drug-fogged bit. Thinking it's cool is all that's needed.

  2. Mike 137 Silver badge

    But voicemail doesn't work like this

    "The attack starts with an email that tells the targeted user they have a voicemail waiting for them that is contained in an attachment."

    Does this make sense?

    It's such a pity that ordinary folks are still so uninformed about how things really work - particularly when those things are as simple and commonplace as voicemail.

    1. Dave Pickles

      Re: But voicemail doesn't work like this

      Actually voicemail does sometimes work like this.

      My router (Fritz!Box 7530) can handle SIP phone calls and has a built-in DECT base station and answering machine. The answering machine can be configured to send me an email with the incoming call as an mp3 attachment.

      1. Doctor Syntax Silver badge

        Re: But voicemail doesn't work like this

        "an email with the incoming call as an mp3 attachment"

        That's the difference. You get an attachment that can be played. This scam uses an attachment that requires you to log in. There's a simple rule to apply here:

        Any unsolicited email which included a URL should be treated as phishing.

        Corollary: if you don't want your emails to be so treated, don't include URLs.

      2. John Brown (no body) Silver badge

        Re: But voicemail doesn't work like this

        But how many people do this, know how do this or know this sort of thing exists? I suspect those who know about are those least likely to be taken in by it. The one who will be taken in by are going to be least technically literate[*] who may think it;s a new service offered by their or other mobile providers.

        [*]I include the "young" in this group too. Many know how to use their devices, having grown up with them, but many have no clue how they work.

  3. Anonymous Coward
    Anonymous Coward

    The answer is simple

    every time a scam like this pops up, the good guys flood it with *millions* of sets of login credentials. Hell if MS want to join the good guys they could *create* thousands of bogus accounts that would waste innumerable scammer-hours, thus keeping the rest of us relatively safe.

    1. yetanotheraoc Silver badge

      Re: The answer is simple

      "every time a scam like this pops up"

      Or how about simply informing users about the scam, how it works, and how not to get tripped up by it... ?

      1. John Brown (no body) Silver badge

        Re: The answer is simple

        And how many will get the info? Of those who get it, how many will do more than just go "meh!". Of those remaining, how many will care? Of those few who care, how many will remember for more than a day or so?

        Talk Talk. Massive data breaches all over the mainstream news. Did the customer base reduce? Only microscopically for a short while. Did customer churn increase? A little, but not much, and by definition, "churn" means lost customers were replaced by new ones. A month or two after they dropped out of the news, customers were flocking back to them because they had heard of them, so must be good. They'd forgotten WHY they heard of them. Brand awareness is powerful and the majority of customer seem to have the memory span of a goldfish when it comes to details. If anything, those data breaches probably caused a delayed growth spurt at TalkTalk.

  4. Anonymous Coward
    Anonymous Coward

    What doesnt help in this situation is if you use Teams as a full telephony solution, a voicemail left for you by an incomig caller is sent via email with a sender address of the incoming callers phone number, from servers that IPs change regulary or are dynamic, and dont have DKIM, SPF or any SPAM prrotection employed.

    So if your also on O365 (quite likely if your using teams as voive) and have the External senders transport rule to makr all external email , and have soime exceptions to mark trusted senders there is no, zero, absolutely no way of identifying the legit incoming voicemails from your own Teams Tennant, as being External but Trusted, or internal, so legit email notifications of voicemails are marked the same as the spam/phishin attempts.

    MS are fully aware but have yet to admit it is 1. a problem that needs fixed or 2. that they are going to change it.

    So training your users not to click on emails etc not marked as either "Internal", or "External Trusted sender" means they dont get their voicemail notifications. And no one is going to start saying yeh dont click on these External emails but these ones are OK as that undoes all your anti-phishing training

    1. Doctor Syntax Silver badge

      So using Teams as a full telephony solution is a phishing risk. I think the workaround is pretty obvious.

    2. John Brown (no body) Silver badge

      "What doesnt help in this situation is if you use Teams as a full telephony solution, a voicemail left for you by an incomig caller is sent via email"

      Ah, that helps explain a bit how this scam works. I wasn't aware of that. On the other hand, WHAT THE ACTUAL FUCK????? Teams is basically a messaging service. Why the hell would Teams send you an email about a Teams voicemail when it's a fucking messaging service? Why not send you a fucking MESSAGE, internal to the teams app/client.

      <goes off to think calming thoughts, humming whalesong after very nearly going full Bombastic>

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like