Cyber villains are targeting Office 365 and Google Workspace users with a phishing email that contains a fake WhatsApp private voicemail. The email includes a ‘play’ button so the message can be listened to.

If the email recipient clicks the ‘play’ button they are redirected to a fake webpage. On the webpage a message prompt asks for confirmation that the victim is not a robot. If the email recipient then clicks ‘allow’ a browser ad service installs the malicious payload as a Windows application.

This is a trojan that steals sensitive information like passwords and credentials that are stored in the browser.

This scam is particularly cunning in that it claims to be a message from WhatsApp which lends it some credibility. It’s also unusual in that it claims to be voicemail. This alone is likely to throw off any suspicions and rather create curiosity. At the same time, the message prompt asking whether the victim is a robot adds a further layer of credibility.

To date, nearly 30,000 mailboxes have been targeted which makes this a relatively small cyber scam. However, it is sophisticated and complex and is likely to fool many people unless they are super wary.

The bottom line when receiving unusual and unexpected emails is to treat them with suspicion and also check the domain name from which the email has been sent.
  • Hover your cursor over the ‘From’ display name to see what email address pops up. It’s very common for an attacker to spoof a display name to look like it is coming from someone legitimate, but when you hover over the display name you’ll often find that message is actually coming from someone else.
In the case of this scam the domain name is ‘’ This is a legitimate domain associated with the State Road Safety operations for Moscow. Because it is legitimate it will slip past email phishing detection.

While the State Road Safety website ultimately belongs to the Russian Ministry of Internal Affairs it’s likely the domain, or an earlier version of the domain, has been hacked by cyber criminals and is being used to send the phishing mails without the owner’s knowledge.