The latest scam involves using fake voicemail messages to convince targets that they need to log in to hear the full recording.
Researchers at McAfee Labs had this to say about the matter:
“Over the past few weeks, McAfee Labs has been observing a new phishing campaign using a fake voicemail message to lure victims into entering their Office 365 email credentials. At first, we believed that only one phishing kit was being used to harvest the user’s credentials. However, during our investigation, we found three different malicious kits and evidence of several high-profile companies being targeted.”
Recipients will receive an email message informing them that they missed a call. A partial recording is available and embedded in the email, but the recipient gets little more than hello, so there’s no real indication of what the message might be about.
Then, if the recipient clicks the link provided to “log in and hear the message” they will, of course, be sent to a page that looks like an Office 365 login screen. All they’re doing at that point is handing their credentials over to whoever sent the message.
As we said at the start, Office 365 has become an increasingly popular target. There’s another scam making the rounds that tries to get a user’s login credentials by making it seem as though the message was sent by the recipient’s employer’s HR department and talks about an upcoming raise.
Both are powerful approaches that have been yielding better results than usual for the scammers. Be sure your IT staff and all of your employees are aware of and on their guard against these scams.