Crooks are trying to steal Microsoft 365 login credentials from people working in U.S. military, security software, manufacturing supply chain, healthcare, and pharma firms, with an elaborate phishing campaign that uses fake voicemail, and fake Microsoft login pages.
Employees in these firms have been getting fake email notifications, in which it says that someone from their organization sent them a voicemail.
The email itself looks as if it’s coming from inside the company, but cloud security company ZScaler found that the real sender is actually abusing a Japanese email service to hide their address and their true identity (opens in new tab).
Should the victim take the bait and click on the HTML attachment in the email, they’d first be redirected to a CAPTCHA check, whose goal is twofold – to evade anti-phishing tools, and to convince the victim of its legitimacy.
Stealing credentials
Once the victim passes the captcha, they’re then further redirected (opens in new tab) to the actual phishing site, a landing page that looks identical to the Microsoft 365 login page. It’s there that, if the victims type in their credentials, they’d share them with the attackers.
Microsoft 365 accounts are in high demand among crooks, as they offer a treasure trove of valuable information that can lead to devastating stage-two attacks. Crooks can use it to deploy malware (opens in new tab) and ransomware, install cryptominers on compute-mighty servers, and even mount highly destructive supply chain attacks.
The Solar Winds supply chain attack, which saw US government agencies, institutions, and a number of high-profile tech companies targeted, all started with a compromised Microsoft 365 account.
Back in December 2020, a massive cyber-espionage effort was discovered that tainted the software supply chain via a rigged update to SolarWinds software. Pinned on state-sponsored Russian hackers, the hack was found to have affected nine federal agencies, in addition to many private-sector companies.
There have been several congressional hearings regarding the SolarWinds hack, and the incident also led to sanctions on several Russian cybersecurity companies. However, no one has been able to determine the true extent of the hack, in part because tracing the steps of the threat actors has been quite challenging.