Office 365 Users Targeted with Phishing Emails Containing Incomplete Voicemail Messages

A phishing campaign has been identified targeting Office 365 users that includes an incomplete voicemail message as a lure to get them to visit a malicious website and enter their Office 365 credentials.

The emails have been crafted to appear as automated messages from Microsoft that require “immediate attention.” The messages include a summary of the call and voicemail message, such as the telephone number, the date the message was received, the duration of the voicemail message, and a reference number.

The emails contain an HTML attachment which, when opened, will play a very brief portion of the message (Hello), which comes from an embedded .wav file.

In order to hear the full message, the user is required to click a link and login to their Office 365 account. The link will direct the user to a webpage where an Office 365 login prompt appears atop a standard Office 365 background.

If the user enters a password it will be captured by the attacker. The user will then be informed that their identity has been confirmed and that they are being redirected. The user will be redirected to the website, but no voicemail message will be played.

The phishing emails were identified by security researchers at McAfee who have intercepted several emails over the past few weeks. Further analysis revealed three phishing kits are being used in the campaign to generate the malicious websites.

The phishing kits are being advertised on social media and offered under license. The websites they generate capture the user’s email address, password, IP address, and location.

The threat actors behind this campaign have been targeting high profile companies from a broad range of industry sectors. Most targeted companies are in the service (18%), financial (12%), IT services (12%) and retail (10%) sectors. The emails have mostly been sent to middle management and executives, whose accounts are most valuable to the attackers. In addition to their accounts containing more valuable information, they are also useful for conducting further phishing attacks from within the organization.

Many of these emails are bypassing Office 365 anti-spam controls and are being delivered to inboxes. Businesses should ensure that they have an advanced spam filtering solution in place on top of Office 365 to block the messages and that end users are warned about the campaign. Multi-factor authentication should also be implemented to prevent stolen credentials from being used to gain access to Office 365 accounts.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of