New Phishing Campaign Uses OneNote Audio to Lure Users to Fake Microsoft Login Page

Cybercriminals continue to impersonate Microsoft services to cast wider phishing nets. In a new phishing campaign reported by Bleeping Computer, audio recordings purportedly shared via OneNote were used as a lure to lead email recipients to a fake Microsoft login page that steals user account credentials.

Using OneNote audio as a brand impersonation tactic

The phishing email arrives bearing the subject “New Audio Note Received” and a message body stating that a contact sent a new audio message. The body also includes the call to action “LISTEN TO FULL MESSAGE HERE,” which is hyperlinked with a phishing URL. When that URL is clicked, the user is directed to a fake OneNote Online page hosted on a SharePoint subdomain.

On the page, the heading reads “You Have A New Audio Message” and, as in the email, the body shows the aforementioned hyperlinked call to action. This link directs the user to another SharePoint page, albeit one that is currently disabled. A legitimate-looking but bogus Microsoft login page would have appeared, prompting the user to log in with their Microsoft account credentials, which would have been effectively stolen.

The impersonation of popular brands is continually being used by cybercriminals in credential phishing attacks, 3.5 million of which were flagged by the Trend Micro™ Cloud App Security™ solution in 2018.

[Read: Microsoft, PayPal, and Netflix Most Impersonated Brands in Phishing Attacks in Q1 2019]

Other notable deception tactics used

Apart from using bogus OneNote audio recordings as a lure, there are other deceptive elements that cybercriminals designed to make the phishing emails harder to spot for recipients.

One notable detail observed is the use of a footer note that says the email was scanned by a certain brand of security software. The use of legitimate Microsoft certificates is another deceptive element in the emails that can fool unsuspecting recipients into thinking that the phishing emails are legitimate.

AI and machine learning in email security solutions

The use of brand impersonation to trick email recipients into giving out their account credentials continues to be pervasive. Users must remain mindful of such schemes, and they can do so by informing themselves of ways to stay protected from phishing attacks.

Organizations, for their part, can take advantage of Cloud App Security, a supplementary security solution that enhances existing email gateways. Cloud App Security uses artificial intelligence (AI) and computer vision technologies to help detect and block attacks that employ brand impersonation tactics. It also uses machine learning to detect suspicious content in the message body and attachments. After having the email’s sender, URL, and reputation go through analysis, computer vision and AI will examine the remaining URLs to check if the website components of a legitimate brand’s login page are being spoofed.

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.