Thursday, October 03, 2019
Woburn, MA – September 26, 2019 – New research from Kaspersky has uncovered a widespread malicious email campaign aimed at stealing Microsoft user account credentials allowing attackers to access private, corporate information. Executed via an elaborate spam message, these attacks target employees working for large organizations that use business messengers with a function to exchange voice messages and receive voice message notifications through corporate emails.
As is the goal with all spam campaigns, the malicious emails are carefully designed to look and sound legitimate to corporate users. The body of the email typically contains the time the voice message was sent, its duration and a preview of the message in the form of a short phrase such as, "Just checking to remind you in regards to our..."
To listen to the message, the recipient is asked to follow what is actually a phishing link that leads to a fake authorization page of one or several popular Microsoft services such as the login page for an Outlook email client or a basic Microsoft account. Once the user’s credentials are entered, malicious actors capture them and redirect their unsuspecting victim to the real voice message service for the business. This distracts users and leads them to believe the email was merely an innocent promotion of the service.
“We’ve recently observed a significant increase in the number of spam attacks on the corporate sector, ” said Maria Vergelis, security researcher at Kaspersky. “In most cases, they attempt to hack into employees' emails through missed or undelivered messages to access private corporate information that the accounts could reveal. Obviously, missing an important message is a constant fear for employees of large companies as it can affect vital business processes. Therefore, such attacks are likely to have a successful outcome for fraudsters. The targeted employees, afraid to lose the notification in a huge stream of business correspondence, are understandably tempted to follow malicious links and enter their data. We urge all employers to educate their teams on basic cybersecurity hygiene, to avoid becoming a victim of such scams.”
To protect users and businesses from malicious email campaigns, Kaspersky recommends:
Read the full text of the report on Kaspersky Daily.
Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.