Fake Voicemail Campaign Detection: New-Old Phishing Attack Hits the U.S.
- What is Quantum Ransomware? - 04.07.2023
- Squiblydoo Attack Analysis, Detection, and Mitigation - 26.06.2023
- CVE-2022-35405 Detection: CISA Warns of Adversaries Leveraging ManageEngine RCE Flaw - 23.09.2022
Table of contents:
A new phishing campaign is on the rise, impacting a wide range of industries and organizations in the U.S., including critical infrastructures such as security, healthcare and pharmaceuticals, the military, and also manufacturing supply chain. The scam began sweeping across the U.S. in May 2022 and is still going on. The targets receive a phishing notification email stating that there is a new voicemail attached, actually cloaking a malicious HTML attachment. When the victim-to-be double clicks on it, it redirects them to an Office365 and Outlook credential phishing site.
Detecting New Phishing Scam
To protect your company infrastructure and prevent possible infections, you can download a Sigma rule released by one of the Threat Bounty Program’s top developers Osman Demir:
Suspicious Fake Voicemail Phishing Campaign Targeting the U.S. organizations (via proxy) – Jun 2022
Want to participate in threat hunting initiatives and share your detection content? Join our Threat Bounty Program for a safer future! Last month, its members contributed 184 unique detections to SOC Prime’s Detection as Code platform. Don’t miss your chance to become one of the contributors and earn recurring monetary rewards.
The rule is aligned with the MITRE ATT&CK® framework v.10. addressing the Initial Access tactic with the Phishing (T1566; T1566.002) technique. This detection has translations for the following SIEM, EDR & XDR platforms: Microsoft Sentinel, Microsoft APT, Elastic Stack, Splunk, Humio, Sumo Logic, ArcSight, QRadar, FireEye, LogPoint, Graylog, Regex Grep, RSA NetWitness, Chronicle Security, Securonix, Qualys, Apache Kafka ksqlDB, Open Distro, and AWS OpenSearch.
The increasing number and severity of phishing incidents are creating an expanded attack surface, constantly increasing the number of affected users. To stay up-to-date with detection content on this and other threats, register for the SOC Prime Platform. The Detect & Hunt button will take you to a vast library of Sigma and YARA rules translated to 25+ SIEM, EDR, and XDR solutions. Don’t have an account yet? Check out the SOC Prime’s search engine to instantly discover full cyber threat context, MITRE ATT&CK references, and Sigma rules by hitting the Explore Threat Context button.
Detect & Hunt Explore Threat Context
Voicemail-Themed Phishing Scam Description
“New is the well forgotten old” – the motto of the voicemail-themed phishing scam this article details. The phishing campaign that sprang into action last month is built on the very similar one, active in mid-Summer of 2020, security researchers from ZScaler report. This year, this cloud security company has become one of the targets, so in the attack’s aftermath, they released a thorough write-up on the threat.
According to the research data, the campaign targets U.S.-based users affiliated with rather large enterprises, aiming to steal their Office 365 credentials. Hackers behind the campaign use email services in Japan to route their communications and spoof the sender’s address, making the emails appear to come from the inside of the targeted firm in an attempt to make them more trustworthy. These phishing notifications contain a fake voicemail attached. Once the target opens a bogus voicemail, which is actually a malicious HTML attachment containing an encoded JavaScript, it takes the victim to a phishing site. The targeted user is first redirected to a CAPTCHA check, designed to evade automated URL analysis algorithms and strengthen an overall trustworthiness facade. Upon successfully passing the CAPTCHA check, the victim finds themselves on a page that mimics a legit Microsoft sign-in. At this stage, all the adversaries need is for the victim to insert their credentials properly – and, voilà! The target’s credentials are successfully harvested.
Ready to explore the SOC Prime’s platform and see the Detection as Code in action? Sign up for free to access 185,000+ unique hunting queries, parsers, SOC-ready dashboards, Sigma, YARA, Snort curated rules, and Incident Response Playbooks tailored to 25 market-leading SIEM, EDR, and XDR technologies.
