The voice message remains an important method of communication in our modern world. Recently, the PDC observed a phishing campaign where threat actors used an access key to entice users to access a voice message. The email notification in Figure 1 shows the use of a domain similar to Zoom. The attachment, an HTML file, serves as the first stage of the attack. The use of the access key adds a personal touch to convince users of the safety of the message. These tactics aim to deceive victims into accessing the message securely.
When the attachment is opened, a page appears (Figure 2) asking the user to view the message. The presence of the access key mentioned in the email confirms the legitimacy of the message. Clicking the link prompts the user to enter the access key from before (Figure 3). However, this input actually initiates another download. It is important to note the misleading URL used for the download, which appears as a legitimate Zoom URL but is actually an AWS URL.
After providing the access key and going through captcha checks, a file is downloaded. It is worth noting the URL hosting the download. This campaign resembles the experience of using Zoom as a new user, where interacting with a meeting URL can result in a fresh installation of Zoom. The download confirmation is shown in Figure 4.
Upon opening the downloaded file, the user sees a poorly rendered login page with a Microsoft theme (Figure 5). It appears to spoof Outlook and Teams platforms, but the inconsistency of impersonating Zoom in the beginning raises suspicion. The user email address is pre-filled, indicating that the malicious actor is only interested in obtaining the password. Requesting the password entry twice is a common technique to ensure accuracy. After this step, the page redirects to a looping animation of the Outlook symbol.
In conclusion, there are several red flags in this voice phishing campaign that should raise suspicion. Users should be cautious of suggested access keys for message access, as uncommon as they may be, as they can appear convincing to unsuspecting individuals.