A novel phishing campaign has been hitting U.S. firms in the military, security software, industrial supply chain, healthcare, and pharmaceutical sectors to obtain Microsoft Office 365 and Outlook credentials. The operation is still active, and the threat actor behind it is luring victims into opening a malicious HTML file with bogus voicemail notifications.
According to experts at cloud security firm ZScaler, the newly uncovered effort shares tactics, methods, and procedures (TTPs) with another operation evaluated in mid-2020. Threat actors use email providers in Japan to route their communications and fake the sender’s address, making the emails appear to come from an address associated with the targeted firm.
The email contains an HTML attachment named with a music note character to give the impression that the file is a sound clip. The file actually includes obfuscated JavaScript code that redirects the victim to a phishing website. The URL structure is based on an assembly mechanism that considers the targeted organization’s domain to make the site appear to be a valid subdomain.
The victim is initially redirected to a CAPTCHA check, which is meant to bypass anti-phishing technologies and give the victims the appearance of validity. The CAPTCHA check was also employed in a 2020 campaign that ZScaler’s ThreatLabZ researchers investigated, and it remains a successful intermediary stage in phishing success rates.
Users are routed to a genuine-looking phishing page that takes Microsoft Office 365 accounts once they pass this phase. Those paying attention will note that the login page’s domain isn’t owned by Microsoft or their business and is one of the following:
- briccorp[.]com
- bajafulfillrnent[.]com
- bpirninerals[.]com
- lovitafood-tw[.]com
- dorrngroup[.]com
- lacotechs[.]com
- brenthavenhg[.]com
- spasfetech[.]com
- mordematx[.]com
- antarnex[.]com
As a result, users should always check and validate they are on a legitimate login site before submitting or even starting to write their username and password. Usually, recipients are signed into their accounts, so a request to check in again to listen to voicemail should be dubious. Although voicemail-themed phishing with HTML files has been around since at least 2019, it remains successful, particularly with irresponsible employees.
