A newly spotted phishing campaign uses Microsoft voicemail notifications as baits to trick targets into opening HTML attachments that redirect to the attackers’ landing pages using a meta element.
Phishing is a type of scam where crooks try to trick their targets to provide personal info via fraudulent websites they control, using a wide range of social engineering techniques as well as messages designed to look like they’re sent by a legitimate organization or someone they know.
As detailed in research shared with BleepingComputer by email security firm Avanan, the campaign’s operators are spamming potential victims with emails disguised as Microsoft Office 365 voicemail alerts.
These phishing emails instruct the targets to open the attachments to be able to listen to the voice messages, displaying the caller number and voicemail length within the message to look more convincing.
The meta refresh redirections
The victims will be sent to the phishing landing pages employing a known redirection technique that uses the meta HTML element with the value of the http-equiv attribute set to “Refresh” and the value of the content attribute set to “1” to force a one-second timeout.
However, unlike previously spotted campaigns that abuse meta refresh these attacks via an intermediary URL designed to send the targets to the landing page, these attacks use the HTML attachment itself to launch the redirection—a method dubbed ‘MetaMorph Obfuscation’ by Avanan’s researchers.
The attachment will be opened in the targets’ default web browser, with the page transferring them to a landing page hosted on the mototamburi.[com] compromised WordPress website via a tinyw.in shortened URL and using the meta element embedded at the end of the HTML attachment to start the redirection process.
“These malicious HTML attachments use meta refresh to redirect the end-user from an HTML attachment hosted locally to a phishing page hosted on the public internet,” says Avanan.
“Because the hacker uses this refresh tag to obfuscate the URL, the built-in link parsers of Office 365 (used by both the default EOP and E5 ATP) don’t detect the threat.”
Collecting Office 365 credentials
To harvest their victims’ Office 365 credentials, the attackers have designed a spoofed “Voicemail management system” page which pops up a “Voicemail user authentication” login form.
This phishing form asks the targets to enter their Microsoft account’s email address and password that will be collected and sent to an attacker-controlled server.
The IP address for the server available at 184.108.40.206 and used to store the stolen Microsoft Office 365 user credentials is hardcoded within the phishing landing page.
“This attack builds upon the wave of HTML attachment attacks that we’ve recently observed targeting our customers, whether they be SMBs or enterprises,” concludes Avanan.
“It adds another layer of sophistication to malicious HTML attachments with the tag, which obfuscates the URL to evade link analysis and redirects to a compromised domain on the public internet.”
Voicemails used as baits by other phishers
During late January, another phishing campaign was observed EdgeWave researchers while using RingCentral voicemail message alerts to trick potential victims into handing out their credentials.
The phishing emails used EML attachments that would be opened within the targets’ Outlook client which made it even easier for the attackers to pressure them into clicking the embedded links.
Also, the phishers landing page would ask the victims to enter their credentials twice to make sure that the entered user and passwords combos are the correct ones.
Phishing expert NullCookies told BleepingComputer at the time that only a small number of phishing kits used the password double-check method and that continuously “showing an incorrect password alert can also be used to avoid redirecting to the impersonated company’s website,” providing the scam with extra camouflage.
If you receive emails containing attachments or links, make sure to get in touch with the sender before opening or clicking any of them.
If this is not an option and you want to click a link enclosed within the message, always make sure to double-check the URL in the web browser’s address bar for anything suspicious.
If you see anything out of the ordinary after opening a link, close the web browser and do not continue. Users who have fallen for a phishing scam and got their credentials phished have to immediately change the passwords to any accounts that might have been stolen.