Application security, Threat Management, Malware, Phishing

Phishing campaign targets remote workers with fake voicemail notifications

Looking for new angles to socially engineer employees working from home under COVID-19 conditions, attackers have devised a new phishing campaign that distributes emails that look as if they were generated by  Private Branch Exchange (PBX), a legacy technology that integrates with employees' email clients so they can receive their voicemail recordings.

In a company blog post on Thursday, Ironscales reported that the operation, discovered by its researchers last month, has threatened nearly 100,000 mailboxes around the world, reaching enterprises across multiple sectors.

PBX is a useful tool for employees who lack convenient access to their office landlines. Aware of this, malicious actors are now crafting email subject lines designed to trick recipients into thinking they have received a new voice message.

"The attackers are looking to get the recipient to open the malicious attachment to drive to a fake landing page for credential harvesting. The recipient has to enter their O365 login credentials to access the voicemail recording," an Ironscales spokesperson told SC Media in an email interview.

In some cases, the phishing actors use highly targeted subject lines that include a specific company's or person's name, according to the blog post, authored by Vice President of Pre-Sales Engineering/Director Of Engineering - Americas Ian Baxter. The sender's name is also customized for the target.

"It may seem odd for attackers to create phishing websites spoofing PBX integrations as most voicemails are quite benign in the information shared," Baxter explains in the post. "However, attackers know that the credentials could be used for multiple other logins, including for websites with valuable PII or business information. In addition, any sensitive information that is left in the voicemail could potentially be used for a social engineering attack."

Because the emails do not bear an actual malicious payload that might trigger a detection, the emails can bypass secure email gateways and eludes the DMARC authentication protocol, Ironscales notes.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.