A new phishing campaign is on the rise, impacting a wide range of industries and organizations in the U.S., including critical infrastructures such as security, healthcare and pharmaceuticals, the military, and also manufacturing supply chain. The scam began sweeping across the U.S. in May 2022 and is still going on. The targets receive a phishing notification email stating that there is a new voicemail attached, actually cloaking a malicious HTML attachment. When the victim-to-be double clicks on it, it redirects them to an Office365 and Outlook credential phishing site.
Want to participate in threat hunting initiatives and share your detection content? Join our Threat Bounty Program for a safer future! Last month, its members contributed 184 unique detections to SOC Prime’s Detection as Code platform. Don’t miss your chance to become one of the contributors and earn recurring monetary rewards.
The rule is aligned with the MITRE ATT&CK® framework v.10. addressing the Initial Access tactic with the Phishing (T1566; T1566.002) technique. This detection has translations for the following SIEM, EDR & XDR platforms: Microsoft Sentinel, Microsoft APT, Elastic Stack, Splunk, Humio, Sumo Logic, ArcSight, QRadar, FireEye, LogPoint, Graylog, Regex Grep, RSA NetWitness, Chronicle Security, Securonix, Qualys, Apache Kafka ksqlDB, Open Distro, and AWS OpenSearch.
The increasing number and severity of phishing incidents are creating an expanded attack surface, constantly increasing the number of affected users. To stay up-to-date with detection content on this and other threats, register for the SOC Prime Platform. The Detect & Hunt button will take you to a vast library of Sigma and YARA rules translated to 25+ SIEM, EDR, and XDR solutions. Don’t have an account yet? Check out the SOC Prime’s search engine to instantly discover full cyber threat context, MITRE ATT&CK references, and Sigma rules by hitting the Explore Threat Context button.
“New is the well forgotten old” – the motto of the voicemail-themed phishing scam this article details. The phishing campaign that sprang into action last month is built on the very similar one, active in mid-Summer of 2020, security researchers from ZScaler report. This year, this cloud security company has become one of the targets, so in the attack’s aftermath, they released a thorough write-up on the threat.
Ready to explore the SOC Prime’s platform and see the Detection as Code in action? Sign up for free to access 185,000+ unique hunting queries, parsers, SOC-ready dashboards, Sigma, YARA, Snort curated rules, and Incident Response Playbooks tailored to 25 market-leading SIEM, EDR, and XDR technologies.