Microsoft Office 365 fake voicemails

Microsoft Office 365 has once again made it in the news, and it is certainly not for the best of the reasons. In a newly discovered phishing campaign, attackers are spamming probable victims through emails that are disguised as Microsoft Office 365 voicemail alerts. Attackers are using Microsoft voicemail notifications to trick users into opening HTML attachments which redirect the victim to attackers’ landing pages by using meta element. These emails instruct victims to open attachments. This will, in turn, allow them to listen to voice messages, displaying caller number and voicemail length within the message.

Attackers Are Using Meta Refresh Redirections

Attackers send phishing landing pages employing a known redirection technique to victims. The attachment is opened in target’s default web browser. The page transfers them to a landing page which is hosted on compromised WordPress website through a shortened URL and by using meta element embedded at the end of HTML attachment in order to start the redirection process.

These malicious attachments use ​meta refresh​ in order to redirect the end-user from an HTML attachment which is hosted locally, to phishing page on the public internet. Since attackers use refresh tag for obfuscating the URL, the built-in link parsers of Office 365 do not detect the threat.

How Do Attackers Phish Victims?

Microsoft Office 365

Attackers have designed a spoofed Voicemail management system page that pops up a “Voicemail user authentication” login form. This form asks targets to enter their Microsoft account’s email address and password which are collected and sent to attacker-controlled server.

The IP address for the server is used to store stolen Microsoft Office 365 user credentials that are hardcoded within phishing landing page. This adds as another layer of sophistication to malicious HTML attachments with the tag, which obfuscates the URL to evade link analysis and redirects to a compromised domain on the public internet.

Voicemails Are Being Leveraged by Scammers

During late January, another phishing campaign was observed where attackers leveraged RingCentral voicemail message alerts to trick potential victims into handing out their credentials to attackers.

The phishing emails use EML attachments that will open up within targets’ Outlook client which makes it even easier for attackers to pressure victims into clicking on the embedded links. Scammers are asking victims to enter their credentials twice in order to make sure that the username as well as the passwords combos are correct.

How to Safeguard Yourself Against Phishing?


  1. Get in touch with the sender prior to opening or clicking on the mail in case you receive emails that contain links or attachments.
  2. Thoroughly double check the URL in the web browser’s address bar in case of finding any thing that is suspicious in nature.
  3. Enforce per-user outbound rate limits for detecting compromised webmail email account’s abuse. This will ensure the slow down in the outbound spam rate and to identify or stop the email abuse completely.
  4. In case you open a link, close the web browser and do not continue.
  5. If a user falls for a phishing scam and got their credentials hacked. He should immediately change the passwords of any accounts that might have been stolen.
  6. With cyber security attack simulator and awareness training ThreatCop, employees can learn about different types of cyber attacks and prevent themselves against such cyber threats.

Cyber security companies like Kratikal ensure that your organization is secure against real life cyber threats that might pose risk to the organization’s cyber infrastructure. It is important to adopt security practices such as periodic VAPT, cyber security policies, employee awareness programs etc. These measures will further ensure the safety of the  triad of people-process-technology.                          

Pallavi Dutta

By Pallavi Dutta

Content Marketer and Team Leader

Leave a comment

Your email address will not be published. Required fields are marked *