Scammers try to steal the Microsoft 365 login credentials of people working in the US military, security software, manufacturing supply chain, healthcare and pharmaceutical companies, with an elaborate phishing campaign that uses fake voice messages and fake Microsoft login pages.

Employees of these companies received fake email notifications claiming that someone from their organization sent them a voice message.

The email itself appears to come from the company, but cloud security company ZScaler discovered that the real sender is actually abusing a Japanese email service to hide his address and true identity (opens in a new tab).

If the victim took the bait and clicked on the HTML email attachment, they would first be redirected to a CAPTCHA check, the purpose of which is twofold: to evade anti-phishing tools and to convince the victim of its legitimacy.

credential theft

Once the victim passes the captcha, they are redirected (opens in a new tab) to the actual phishing site, a landing page that looks identical to the Microsoft 365 sign-in page. This is where, if victims enter their credentials, it will share them with the attackers.

Fraudsters are in high demand for Microsoft 365 accounts because they offer a treasure trove of valuable information that can lead to devastating second-stage attacks. Criminals can use it to deploy malware (opens in a new tab) and ransomware, install cryptominers on powerful servers, and even mount highly destructive supply chain attacks.

The Solar Winds supply chain attack, which targeted government agencies, institutions, and several leading US technology companies, began with a compromised Microsoft 365 account.

In December 2020, a massive cyber espionage effort was discovered that contaminated the software supply chain via a fake SolarWinds software update. Pinned on state-sponsored Russian hackers, the attack affected nine federal agencies, in addition to numerous private sector companies.

There have been several congressional hearings on the SolarWinds hack, and the incident has also resulted in sanctions against several Russian cybersecurity companies. However, no one has been able to determine the true scope of the attack, in part because it has been quite difficult to trace the footsteps of the attackers.

Via: BleepingComputer (Opens in a new tab)

Share This