It is very simple to get voicemail notifications as an email. Any VoIP phone system can do it. It’s popular because it’s convenient and efficient. Plus, it’s been incredibly valuable during the work-from-home movement. If someone calls an office number, it’ll still be received, no matter where the intended person is.
Now, hackers are taking advantage of this, but instead of helpful audio, it’s a credential harvesting link.
Attack
In this attack, hackers are utilizing the voicemail to email feature on many VoIP-connected phones to send a credential harvesting link.
- Vector: Email
- Type: Credential Harvesting
- Techniques: Impersonation, Phishing, Credential Harvesting
- Target: Any end-user
In this attack, hackers are spoofing voicemail to email messages that notify users of a new voicemail. Typically, the audio file of the voicemail comes as an attachment or link. In this email, however, the audio file is not an audio file, but rather a malicious link. That link goes to a fake Office 365 login page. This bypassed Mimecast’s protection.
Email Example #1
In this email, a voicemail notification is sent, asking the user to open the link:
The file link goes to a classic credential harvesting page, in this case a fake Office 365 login page.
Techniques
In this email attack, hackers have found a way to leverage voicemail to email notifications to send credential harvesting pages.
By taking advantage of a popular feature of many corporate phone systems, this attack is believable and convincing. It is an email that many employees can expect to get. Even logging into Office 365 isn’t out of the ordinary. Hackers know this, and have tailored their attacks accordingly.
This attack was missed by Mimecast, which gave it a spam score of 6 (sort of middle of the road).
Avanan, however, saw right through it, with text analysis showing high confidence phishing.
Best Practices: Guidance and Recommendations
To guard against these attacks, security professionals can do the following:
- Remind end-users to be careful before clicking on voicemail files. Hovering over the URL can be helpful
- Have end-users ask IT if voicemail is legitimate, especially for users who don’t get too many voicemails
- Deploy protection that doesn’t rely on static Allow Lists, but rather dynamic, AI-driven analysis
