Researchers on Monday reported on a WhatsApp voicemail phishing attack from Russia that targeted nearly 28,000 organizations across healthcare, education and retail.

In a blog post, Armorblox researchers said the attacks combine the following techniques: social engineering, brand impersonation, exploiting a legitimate domain, and replicating an existing business email workflow to get victims to click on the “Play” button to view the allegedly secure email message. Once the victim clicks on the “Play” link in the email, they are redirected to a page that attempts to install a trojan horse, JS/Kryptik.

The researchers said the domain of the email sender was “,” a legitimate domain associated with an agency in Russia’s Ministry of Internal Affairs that provides assistance to road safety operations. The Armorblox researchers theorize that “it’s possible” the attackers exploited a depracated or old version of this agency’s parent domain to send the malicious emails. They said the emails did pass all SPF and DMARC authentication checks.

"By using a known and trusted service such as WhatsApp, and by using an email server that passes SPF/DKIM checks, the attackers behind this phishing email are reducing the chance of the message being tagged by spam filters, while improving the chance that the user will engage with the phish, said Erich Kron, security awareness advocate at KnowBe4. Kron said the attackers know that a lot of people currently use WhatsApp, which makes a message like this blend in with the normal email traffic, or at least make it not stand out as much.

“This type of attack highlights the skill and craftiness of modern attackers who are using phishing emails as their weapon,” Kron said. "Organizations that want to protect themselves from these attacks should ensure that employees are trained in regular and consistent intervals to spot and report them. While these are tougher to spot than many phishing emails, employees who know the dangers of opening and enabling active content in documents, and allowing websites to enable notifications or plugins, are much more likely to quickly notice the shenanigans and avoid them, before the damage is done."