Microsoft 365 Users Targeted with Voicemail Phishing Emails
We see frequent fake voicemail phishing attempts on our clients. The emails include subject line phrases such as “Voicemail Transcript” and “Missed Call” and HTML attachments with names such as Voicemail.wav.html. The attachments appear to be typical audio files with the familiar "wav" suffix included in the file name.
If clicked, the attachments lead users to a fake Microsoft login page. It’s already populated with your email address and will prompt for your Microsoft 365 password.
If you give up your private email credentials, the bad guys will: 1. Take over your email account 2. Email your contacts as you 3. Gain access to all of your messages, contacts, calendar, and your OneDrive and SharePoint data. 4. Comb through your data in search of valuable passwords
Don't get duped!
Never open unverified email attachments. If someone you know sends you an attachment you're not expecting, check if it is really them via another contact method - call them.
Never enter credentials before checking the actual URL of the site. Is it Microsoft?
Enable multi-factor authentication (MFA). If you accidentally give up your password to a phishing attack, MFA will likely stop the bad guys from logging into your account.
Slow down; if an email is unexpected, unusual, or feels a little off, stop before you blindly click yourself into a whole lot of pain.
Our clients can always ask us to check it out before opening.