Signs of a Phishing Attempt Based on Office VoIP Voicemail Notifications

Crude Attempt That Could Trap the Unwary

With an increasing number of people using services like Teams for voice communications, scammers are trying out new ways to lure unsuspecting victims to click phishing links. One example is the message I received on Wednesday (Figure 1) purporting to let me know that a voicemail is waiting.

The message is a pretty crude attempt to convince anyone that it is a real voicemail notification. “Office VoIP” is used instead of a more believable service name (like Teams, Office 365, Microsoft 365) and the text contains spelling and grammar errors. The Play Voice Message button is clunky and the message comes from an account featuring three exclamation marks in its display name and an SMTP address of sam@v.c.smcozp.com.

Domain Built for an Attack

Looking up the domain with WhoIS, we find that it was registered on October 26 with Amazon.com. The message header tells us that the email came from a7-35.smtp-out.eu-west-1.amazonses.com, probably an SMTP server in a Western European datacenter that’s part of Amazon’s simple email service. In short, the domain was set up with the intention of being used for phishing attacks.

Outlook’s message header analyzer also tells us that the message passed Exchange Online Protection’s mail authentication anti-spam checks. The SPF pass is because the message came from a server authorized to send by Amazon. DKIM signature validation worked and DMARC’s result was a best guess pass.

spf=pass (sender IP is 54.240.7.35) smtp.mailfrom=eu-west-1.amazonses.com;; dkim=pass (signature was verified) header.d=v.c.smcozp.com;; dmarc=bestguesspass action=none header.from=v.c.smcozp.com;compauth=pass reason=109

The link to play the purported voicemail looks as if it will access a PDF file. I didn’t bother going any further.

url=https%3A%2F%2Fa.spiceworks.com%2Fcore%2Fclick%2F%3Facct%3Dm81-email%26direct%3Dtrue%26rt%3Dhttp%3A%2F%2Fej-group.com.my%2Ft-11-h11-v11-m11%2FdG9ueS5yZWRtb25kQHJlZG1vbmRhc3NvY2lhdGVzLm9yZw%3D%3D%2523%23c11c11n11b11k11u11o11b11.pdf&data=04%7C01%7Csome.person%40xxx.org%7Ce9645dd15a7f42495f0608d87b27fab9%7Cb662313f14fc43a29a7ad2e27f4f3478%7C0%7C0%7C637394760921548631%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0&sdata=pJw%2BgCh2QxgfeIIgLeU7rkHvGJHQcbuwDDolW7lB6UY%3D&reserved=0

I’ve reported the message to Microsoft so that they can take steps to block future attempts from the same source. Outlook’s Report Message add-in makes this very easy.

User Education

The problem with messages like this is that people often don’t look at the sender name or domain, question why large commercial organizations send poorly constructed messages, or even why they might be receiving such a message. The fear of losing out syndrome is exploited by attackers who rely on curiosity to lead people to click links. All we can do is continue to educate users to be careful and mistrust messages received from unknown sources.

For more information on running effective message hygiene defenses (a jazzy name for anti-spam), read Chapter 7 of the Office 365 for IT Pros eBook.