Millions of Microsoft Office 365 users hacked in voicemail phishing campaign

The attack seamlessly acquired login credentials.

SOPA Images/LightRocket/Getty Images

Microsoft users are urged to be extra vigilant with their online security following a wave of malicious phishing attacks. McAfee researchers discovered a phishing campaign that uses fake voicemails to trick users into entering their Office 365 email logins which were then hacked using these credentials.

McAfee claims that many high-profile companies were targeted and the campaign has affected millions of people.

The Bait — The security firm has observed the campaign for weeks, noting it spans several industries in a report released on Wednesday. McAfee uncovered three separate phishing kits that drew Office 365 users in with a voicemail. A Microsoft-branded email informs them of a missed voicemail from a specific number with what appears to be trustworthy information including caller ID, call duration, call date, and a reference number.

Once users click to listen to the voicemail attachment, they are teased with a snippet of audio and then prompted to enter their login credentials. They are then redirected to the actual login site so the users have no clue they were bamboozled.

Staying Safe — Microsoft’s enterprise dominance has made it one of the biggest targets of phishing attacks. In March, the company flagged a massive uptick in malicious phishing scams that lead to a July announcement of an “Unverified Sender” feature. Unverified Sender is still rolling out, so it’s unlikely that the affected accounts were benefitting from the upgraded phishing protections.

Modern phishing attacks are more sophisticated than ever, even fooling those who are looking for them. For added safety, Office 365 customers can check to see if they can enable Unverified Sender in the Office 365 Security & Compliance Center by following the instructions here.