Threat Research

Missed Voice Message | New Phishing Tactic | Cofense PDC

admin

Cofense PDC observed a mass phishing campaign that uses “missed voicemail” lures impersonating British Telecom to direct recipients to a spoofed BT sign-in page. Credentials entered on the fake page are exfiltrated to an external address and victims are then redirected to BT’s legitimate help page to mask the attack. #BritishTelecom #BT #Cofense

Keypoints

  • Phishing emails notify users of a missed voice message allegedly from British Telecom and include a link to a malicious site.
  • The link leads to a spoofed BT sign-in landing page that copies BT branding and prompts for credentials.
  • An inconsistency in the displayed number of voicemail messages (one vs. three) indicates a mass-mailing parameter mismatch on the phishing page.
  • Credentials submitted on the fake page are exfiltrated to an external private address/domain.
  • After credential capture, victims are redirected to the official BT help/home page to increase perceived legitimacy.
  • Observed IOCs include a non-BT domain (Irxi.com subdomain) and an IP address linked to the campaign.
  • The tactic is region-adaptive and likely to continue given its apparent effectiveness.

MITRE Techniques

  • [T1566] Phishing – The campaign uses deceptive emails that lure recipients with missed-voicemail notifications to harvest credentials (‘the end user is notified about a missed voice message from a British Telecom landline.’)

Indicators of Compromise

  • [Domain] Malicious landing page / credential collection endpoint – http://n5vxdrhwohgzy3gzy3gjft2xruwhe7zmquok80.Irxi.com
  • [IP Address] Hosting / infrastructure used by the phishing site – 144.76.162[.]245

The technical flow begins with a phishing email that notifies the recipient of a “missed voice message” allegedly from British Telecom and contains a link to a non-BT domain. That link resolves to a spoofed BT sign-in page which replicates BT branding and prompts users to enter account credentials; a mismatch in the displayed voicemail count (one vs. three) indicates a templating/parameter oversight in the mass-issued phishing page.

When credentials are submitted, the form posts data to an external address where the attacker collects the information. The campaign then redirects the user to BT’s legitimate help or homepage immediately after submission to reduce suspicion and increase the likelihood of successful credential capture.

Operational indicators include the Irxi.com subdomain used as the landing page and the associated IP 144.76.162[.]245. Defenders should treat emails with unsolicited voicemail notices as high-risk, validate the URL domain before entering credentials, and block or monitor the listed IOC domain/IP within network and email security controls.

Read more: https://cofensestaging.wpengine.com/blog/missed-voice-message-phish/