A phishing campaign is targeting Microsoft Office 365 and Outlook credentials of multiple organizations in the U.S. In the ongoing operation, attackers are using fake voicemail notifications with HTML attachments.

The voicemail campaign

Researchers from ZScaler discovered the campaign and found that it shares TTPs with another operation analyzed in mid-2020.
  • In the current campaign, the attackers are using email services in Japan to send their messages and spoof the sender's address, pretending that the emails are from the targeted organization.
  • The email has an HTML attachment using a music note character to impersonate the file as a sound clip. However, the file's obfuscated JavaScript code leads the victim to a phishing site.

The targeted organizations are located in the U.S. and belong to multiple sectors, including manufacturing supply chain, security software, healthcare, pharmaceuticals, and the military.

Additional insights

The URL format of the phishing site follows an assembly system. It considers the domain of the target organization to make it look as if the site is a genuine subdomain.
  • At first, the redirection process takes the victim to a CAPTCHA check, which is created with the goal of evading anti-phishing tools and increases the chances to make the process look legitimate to the victims.
  • After that, victims are redirected to a phishing page that could steal their Office 365 accounts.


Voicemail-themed phishing is an effective way of stealing the credentials of employees, as such scams rely on the carelessness of any single employee across the network. While frequent employee trainings can help, users are recommended to confirm that they are on a legitimate login portal before submitting or starting to type a username and password.

Cyware Publisher