Phishing attacks are becoming more sophisticated and harder to detect. One devious way to trick unsuspecting targets is to send fake voicemail notifications. Attackers mimic real voicemail notifications, which usually include a .mp3 file attachment, but replace them with a .html attachment that is actually a credential harvester.
The harvester page is designed to look like the Microsoft login page, complete with the company logo and a convincing message that appears to be a normal voicemail notification. The message includes a transcription of the audio and mentions a full transcription being attached. However, the attached .html file is actually a trap to steal your personal information.
Additionally, the message included a phone number, which could be a fake number or a secondary payload for vishing purposes. It is important to be vigilant and verify the sender of the voicemail notification to ensure it is from your actual voicemail provider. If the attachment is not a .mp3 file, be wary as it could contain a malicious payload.
Off the hook
To stay safe from these types of phishing attacks, it is crucial to verify the sender of the email and the type of attachment before clicking on any links or downloading any files. Be mindful of unexpected voicemail notifications and always take extra caution when handling sensitive information.
Hoxhunt empowers your employees to shield your organization from threats. Our phishing training is trusted by the world’s leading cybersecurity professionals - maximizing training outcomes by serving every user a personalized learning path that measurably changes behavior.
- Subscribe to All Things Human Risk to get a monthly round up of our latest content
- Request a demo for a customized walkthrough of Hoxhunt
