One more phishing scam has made it to the news due to another innovative trick. This time, the scammers strive to fool users by exploiting audio notes. This OneNote Audio Note phishing campaign seemingly aims at stealing your Microsoft accounts’ credentials.
OneNote Audio Note Phishing Scam
Reportedly, BleepingComputer has caught up with a phishing scam that seemingly preys on Microsoft users. As stated in a recent blog post, the scammers now run a OneNote Audio Note phishing campaign to trick users.
This phishing attack begins by sending email messages to the users, telling them they have received an audio note from someone in their address book. The email subject line reads “New Audio Note Received”. Yet, to listen to this audio note, the user is supposedly required to click on an embedded link.
To further make the email look ‘safe’, the email content also contains a prominent footer mentioning its antivirus scan status.
Upon clicking the link, the user then sees a SharePoint hosted website that mocks OneNote Online. This webpage also requires the visitor to click on a link to supposedly listen to the audio note.
This webpage then redirects to another web page that resembles the genuine Microsoft account login page. This page requires the users to enter the Microsoft account credentials to proceed. The design of this page has a lot of similarity to the genuine Microsoft website. Nonetheless, a smart user can detect its fraudulence by a quick look at the URL.
An unlucky user may well fall prey to this scam and enter the account credentials, regardless of whether the users are smart enough or not, the scammers seem vigilant to add genuineness to their scam. They have arranged legitimate Microsoft certificates for the scam web pages hosted on SharePoint.com.
Things Becoming ‘Phishy’…
Over the past few days, we have seen many different types of phishing campaigns coming up. From Google Calendar to encrypted messaging to QR codes, the scammers are trying every possible strategy to trick users. Hence, it has become inevitable that users must stay wary of such scams not only at an individual level but at the organizational level as well, it would seem there is an ongoing need for social engineering assessments to be carried out within companies to ensure their assets are protected.
Let us know your thoughts in the comments.