Have you received an email notification that there is a voicemail waiting to be listened to by you?
Maybe you would be wise to think carefully before clicking on the attachment.
As security researchers at Zscaler explain, a wave of phishing attacks posing as voicemail notifications have targeted US organisations in recent days.
Targeted victims include organisations working in sectors such as the military, healthcare, pharmaceuticals, manufacturing, and others. Even security software vendors found themselves being the victims of attempted attacks – as Zscaler can attest, because it was through being targeted that they found out about the campaign in the first place.
According to the researchers, clicking on the HTML file attached to the emails initiates some obfuscated Javascript that ultimately takes the unsuspecting user to a webpage that tries to trick them into entering their Outlook or Office 365 login credentials.
Hopefully your users would think twice before entering their username and password, but I would still recommend enabling two-factor authentication to harden email account security and the use of an enterprise password manager.
Many users don’t realise that a side-benefit of password managers is that they can refuse to submit passwords into login forms if they do not determine they are on the legitimate login page for that password.
On its website, Zscaler has published a list of domains used in the attack which companies may choose to proactively block.