Resurgence of voicemail-themed phishing attacks targeting key industry verticals in the US


Since May 2022, ThreatLabz has been closely monitoring the activities of a malicious actor who is targeting users of various US-based organizations with malicious voicemail notification-themed emails in an attempt to steal their user information. Office365 and Outlook identification. This threat actor’s tactics, techniques, and procedures (TTPs) strongly overlap with a previous voicemail campaign analyzed by ThreatLabz in July 2020.

In this new instance of the campaign, the threat actor targeted users from US-based organizations in specific verticals, including Software Security, US Military, Security Solution Providers, healthcare/pharmacy and the manufacturing supply chain.

As Zscaler was one of the organizations targeted, this gave us a good insight into the full attack chain and motivations of this threat actor.

Key points

Voicemail-themed phishing campaigns continue to be a successful social engineering theme used by this malicious actor to trick victims into opening a malicious attachment.
Several key industry verticals in the United States, such as the military, security software vendors, healthcare, pharmaceuticals, and manufacturing supply chain, have been targeted by this threat actor. .
The malicious actor’s goal is to steal Office365 and Outlook account credentials, both of which are widely used in large enterprises.
A CAPTCHA is used by the threat actor to protect the final phishing page from the credentials of automated URL scanning algorithms.
Each URL is uniquely crafted for the targeted individual and targeted organization.
The campaign is active at the time of publication of this report.

attack chain

The attack flow involves a voicemail-themed notification email sent to the victim. The email contains an HTML attachment which, when opened, will redirect the user to a credential phishing site. The threat actor’s goal is to harvest the victim’s Office 365 credentials.

We will describe each component of the attack chain in more detail in this report.

attack chain [Technical analysis]

Email analysis

The theme of the email focuses on a voicemail notification that tells the victim they missed a voicemail, prompting the user to open the HTML attachment. This social engineering technique has worked successfully for the threat actor in previous campaigns.

Figure 1 shows an example of an email sent to the victim. The “From” field of the email has been specially designed to align with the name of the targeted organization.

Figure 1: Voicemail-themed email sent to a user at Zscaler

Analysis of email headers shows that the threat actor operated email servers located in Japan. Figure 2 shows the headers of one of the emails.

Figure 2: Email header

Figure 3: Mail Server Details

Analysis of HTML attachments

For analysis purposes, we will consider the HTML attachment with the MD5 hash: dd0ddbc951de5cad9c8ace516c514693

Figure 4 shows the HTML attachment sent in the email that contains coded JavaScript code.

Figure 4: HTML Attachment

Figure 5 shows the resulting code after deobfuscation.

Figure 5: JavaScript decoded from HTML attachment

This code redirects the user to an attacker-controlled URL using window.location.replace()

URL analysis

[Stage-1 URL] – Redirector

The URL inside the HTML attachment is a redirect URL that redirects the user to the final credentials phishing page.

In each instance of the attack, the URL followed a consistent format that included the name of the targeted organization as well as the targeted person’s email address. Figure 6 below highlights the format.

Figure 6: URL format from step 1

For example, when an individual in Zscaler was targeted, the URL used the following format:


Since the format of the URL gives critical information about the target, we used this information from our collected telemetry to enumerate the list of targeted organizations and individuals.

Based on the analysis of this telemetry, we can conclude with a high level of confidence that the targets chosen by the threat actor are US military organizations, security software developers, security services, healthcare/pharmaceutical and supply chain organizations in manufacturing and shipping. .

It is important to note that if the URL does not contain the base64 encoded email at the end; instead, it redirects the user to the MS Office Wikipedia page or to

[Stage 2 URL] CAPTCHA Verification

The Step 1 URL in the HTML attachment will redirect the user to the Step 2 URL which requires the user to solve a Captcha before presenting the actual Office credentials phishing page.

For Captcha, it uses the Google reCAPTCHA technique. This helps the threat actor to evade automated URL analysis tools. A similar technique was used in the July 2020 instance of a voicemail-themed campaign.

Figures 7 and 8 show 2 example captchas displayed by URLs from step 2.

Figure 7: Captcha displayed by the phishing page

Figure 8: Captcha displayed by the phishing page

[Stage 3 URL] – Credential phishing page

Once the user solves the Captcha successfully, they will be redirected to the final credentials phishing page which attempts to steal the user’s Office 365 credentials as shown in Figure 9.

Figure 9: Office 365 Real Credential Phishing Page

Zscaler detection status

Zscaler’s multi-layered cloud security platform detects indicators at different levels, as seen here:


Figure 10 shows the detection status of Zscaler’s credential phishing detection system.

Figure 10: URL Detection by Zscaler’s Credential Phishing Detection System


Voicemail-themed phishing campaigns continue to be an effective social engineering technique for attackers, as they are capable of tricking victims into opening email attachments. This, combined with the use of evasion tactics to circumvent automated URL scanning solutions, helps the threat actor be more successful in stealing user credentials.

As an extra precaution, users should not open attachments in emails sent from untrusted or unknown sources. Typically, users should check the URL in the browser’s address bar before entering credentials.

The Zscaler ThreatLabz team will continue to monitor this campaign, and others, to keep our customers safe.

Indicators of Compromise (IOC)

# domains registered by the attacker


*** This is a Security Bloggers Network syndicated blog from Blog Category Feed written by Sudeep Singh. Read the original post at:

Comments are closed.