ThreatLabZ, the Zscaler threat research team, recently observed a new series of Microsoft-themed phishing attacks aimed at senior-level employees at multiple organizations. The Zscaler cloud has blocked over 2,500 of these phishing attempts over the last three months. The attack is notable for its targeted aim at senior business leaders with titles such as Vice President and Managing Director who are likely to have a higher degree of access to sensitive company data. The aim of these campaigns is to steal these victims’ login credentials to allow threat actors access to valuable company assets.
Attacks have been spread across a range of industries, with the heaviest activity in the banking and IT sectors. We are unable to attribute these attacks to any particular threat actor at this time.
In these attacks, victims receive what appears to be automated emails from their unified communications tools indicating that they have a voicemail attachment. When they click the attachment, victims encounter a fake Google reCAPTCHA screen, and then are directed to what appears to be a Microsoft login screen, allowing threat actors to steal their login credentials. The phishing pages are hosted by using .xyz, .club and .online generic top level domains (TLDs).