We have been observing a new phishing campaign using a fake voicemail message to lure victims into entering their Office 365 email credentials.

Harrisburg University voicemails will only come from the email address unityconnection@harrisburgu.edu and include a ".wav" file as the attachment (see below). Please do not open voicemails with attachments that include ".html" or any other suspicious file extension.

Read more about the attack below:

The attack begins when the victim receives an email informing them that they have missed a phone call, along with a request to login to their account to access their voicemail. The phishing email contains a HTML file as an attachment which, when loaded, will redirect the user to the phishing website. There are slight variations in the attachment, but the most recent ones contain an audio recording of someone talking which will lead the victim to believe they are listening to the beginning of a legitimate voicemail.  

The goal of malicious actors is to harvest as many credentials as possible, to gain access to potentially sensitive information and open the possibility of impersonation of staff, which could be very damaging to the company. The entered credentials could also be used to access other services if the victim uses the same password, and this could leave them open to a wider of range targeted attacks.

An example of the malicious email is shown below:

Once redirected, the victim is shown the phishing page which asks them to log into their account. The email address is prepopulated when the website is loaded; this is another trick to reinforce the victim’s belief that the site is legitimate.

When the password is entered, the user is presented with the following successful login page and redirected to the office.com login page.

Source: Office 365 Users Targeted by Voicemail Scam Pages