Threat Research

Resurgence of Voicemail-themed Phishing Attacks Targeting Key Industry Verticals in US

Securonix

ThreatLabz has tracked a voicemail-themed credential phishing campaign since May 2022 targeting US-based organizations across multiple verticals to steal Office365 and Outlook credentials. The operation shows overlap with a 2020 voicemail campaign and uses targeted emails, HTML attachments, base64-encoded URLs, and CAPTCHA to bypass automated analysis. #voicemailphishing #Office365

Keypoints

  • Voicemail-themed phishing campaigns continue to lure victims with attachments that harvest credentials.
  • Targeted US verticals include the military, software security vendors, security service providers, healthcare/pharmaceutical, and manufacturing supply chains.
  • The attacker aims to steal Office365 and Outlook credentials in large enterprises.
  • A CAPTCHA is used to guard the final credential phishing page from automated URL analysis.
  • Each URL is tailored to the target organization and individual, with the URL format revealing the target.
  • The campaign remains active at the time of publication and shows overlap with a prior 2020 campaign.

MITRE Techniques

  • [T1566.001] Phishing: Spearphishing Attachment – The attack flow involves a voicemail-themed notification email … ‘The attack flow involves a voicemail-themed notification email sent to the victim. The email contains an HTML attachment which, when opened, will redirect the user to a credential phishing site.’
  • [T1566.002] Phishing: Spearphishing Link – The URL inside the HTML attachment is a redirector URL which redirects the user to the final credential phishing page. ‘The URL inside the HTML attachment is a redirector URL which redirects the user to the final credential phishing page.’
  • [T1027] Obfuscated/Compressed Files and Information – The HTML attachment contains encoded JavaScript … ‘HTML attachment … contains encoded JavaScript’
  • [T1056.003] Input Capture: Web Forms – The final credential phishing page which attempts to steal the Office 365 credentials of the user. ‘final credential phishing page which attempts to steal the Office 365 credentials of the user’

Indicators of Compromise

  • [Domain] attacker-registered domains – briccorp[.]com, bajafulfillrnent[.]com, and 8 more domains
  • [MD5] HTML attachment MD5 hash – dd0ddbc951de5cad9c8ace516c514693

Read more: https://www.zscaler.com/blogs/security-research/resurgence-voicemail-themed-phishing-attacks-targeting-key-industry