A new wave of phishing emails which adopt an unusual approach has been detected. The attack arrives in users’ email inboxes claiming to be a notification about a voice message.

So far the emails have been using subject lines such as ‘PBX Message,’ ‘Voice Message’ and ‘Voice Delivery Report.’  Attached to the email is another email in the form of an .EML attachment.

EML is a file extension for a Microsoft Outlook e-mail message which can contain hyperlinks and attachments.

Attack steps and outcome

  • If the .EML file is opened it displays an email message that claims to come from RingCentral, a cloud-based business phone system. 
  • To trick the user into believing that they have received a genuine delivery notification about a voicemail, the emails lists information about the call including the time it was made, how long it lasted, the caller’s country code and a partially redacted caller’s number. 
  • To make the message more convincing, it appears as a preview within Outlook rather than as content in a separate window.

The cyber fraudsters are aiming that to ensure that recipients click on the ‘Preview,’ ‘Listen, or ‘Save audio’ links to hear the mystery message.

Eileen’s cousin calling

  • People who click on the links are taken to a bogus phishing Microsoft account login page that asks for credentials to be entered.
  • The phishing page tells anyone entering their password that it is incorrect and then prompts them to renter the information. 
  • It’s likely that the double-entry of passwords is to ensure the fraudsters have received the correct password for an account. 
  • When the password is entered the second time the user is taken to a webpage containing an actual voicemail. The message appears to have been left by an elderly British woman saying she is “Eileen’s cousin” who is “calling to find out how she is.” However, this message could well change to something else. 
  • The fraudster’s aim is to capture email addresses and passwords for Microsoft email accounts which in turn opens up avenues for fraud, depending on what information they find in the emails. 
  • Even if the mail account is protected with two-factor authentication (2FA) the fraudsters appear to be banking on the fact that some users will have the same password for the email account and the 2FA verification.

Always be wary of unsolicited emails that contain attachments. Phishing mails are a popular tool for fraudsters.

The mails they create are ever inventive as they look for new ways to get past defences and fool people into thinking they are genuine.

The .EML attachment, as detailed above, illustrates this perfectly. It’s an email and attachment that seems convincing, piques curiosity and at first glance appears innocuous.