MailGuard 31 August 2021 12:39:57 AEST 4 MIN READ

“Left you a message” – Nasty Voicemail File Attachment Is Not What It Seems

Think twice before you click on this nasty voicemail attachment landing in inboxes this week. With an innocent “Left you a message” subject line, prefaced by a local telephone number and stamped with the date, the email is marked as ‘High Priority' and ‘Sent via Microsoft Voice’. The email is targeting a business in the United States and comes from a compromised account belonging to a legitimate printing company (mountain-media(dot)com) in Colorado.

It would be easy for an employee to click through to see what the message entails. Especially because of the high degree of personalization, with the audio file attachment named ‘audio@(recipient email name).com’ and the inbound email sender display name inserting the company name, as ‘(company name)Caller’. Making the message feel routine and familiar, enough so that many of us would click through without a second thought.

In fact, it is a JavaScript-based credential-stealing attack, that has the potential to also impact the company’s Microsoft tenancy.

patriot-spear-MS-email-x-01

After clicking on the voicemail file attachment, users are directed to a replica Microsoft login page that prompts them for their password, with the target victims email address already pre-populated as the username to boost the perceived authenticity.

patriot-spear-MS-signin-01

The final step in the scam features a crosswalk CAPTHCA, a common challenge-response test used online to determine whether or not a user is human. Ironically, scammers often incorporate familiar security tests, language and iconography into their attacks to heighten the sense of legitimacy. This scam intercepted by MailGuard earlier this year also used similar reCAPTCHA functionality to trick users.

patriot-spear-crosswalks-01

This attack is carefully tailored with personalized usernames and the company name incorporated into the email and the sign-in page, and local phone numbers in the subject, to reassure recipients that it is in fact legitimate and to reduce their inclination to pause and think twice. Victims who inadvertently fall for the ruse, are in fact handing over their sensitive credentials, allowing the cybercriminals access to their company account, and potentially to their organisations Microsoft tenancy. Those credentials may then be used in subsequent attacks by the cybercriminals behind this scam, or they may be sold on the dark web to other cybercrime syndicates.    

Some of the simplest email scams use social engineering and hyper-personalisation to improve their success rate, like those reported in this post about CEO Fraud.

Whilst MailGuard is stopping this email scam from reaching its’ customers, we encourage all users to be extra vigilant against this kind of targeted email attack, and whatever happens, do not open or click them.

With social engineering, criminals can use publicly available information from your company website, social media and other company materials to tailor campaigns in such a way that they feel extremely legitimate and familiar. Often the target may not even realise that they’ve been compromised, allowing the criminals to monitor email accounts, send and receive emails on behalf of the victim, and access company systems. Depending on the privileges of the compromised user and what other protections are in place, like MFA, they may even be able to change credentials and/or add new users.

Scams like these have a high likelihood of successfully tricking users, especially in the current climate. With workforces becoming more remote in light of COVID-19, it is common for employees to receive digital messages and alerts from collaboration tools like Microsoft Teams. Therefore, notifications like the one above aren't likely to raise any alarm bells when they appear in an inbox, motivating users to click on the provided links and attachments without a second thought.

The use of well-known brand names, like Microsoft, also serves to inspire false trust, boosting the email’s credibility. Cybercriminals often exploit the branding of global companies like Microsoft in their scams, because their good reputation lulls victims into a false sense of security, and with such a large number of users, they are an easy and attractive target. Their established brand helps convince recipients that the file being shared via email are secure.

We encourage all users to exercise caution when opening messages like these, and to be extra vigilant against this kind of cyber-attack. If you are not expecting a file from the sender, do not open the email, download files or click through on the links. Check with the sender first, even if they are known to you.

As a precaution, MailGuard urges you not to click links within emails that:

  • Are not addressed to you by name.
  • Appear to be from a legitimate company but use poor English, or omit personal details that a legitimate sender would include.
  • Are from businesses that you were not expecting to hear from, and
  • Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from.

One email is all that it takes

All that it takes to break into your business is a cleverly worded email message. If scammers can trick one person in your company to click on a malicious link or download an attachment, they can gain access to your data.

For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security.

Talk to a solution consultant at MailGuard today about securing your company's inboxes.

Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.

Keep Informed with Weekly Updates