Deconstructing a Phishing Attack

A Question

“Why are a lot of fake voicemail messages not getting caught by our spam filter?”

This is just one example of many. This may not resemble all attacks but has a lot of typical indicators.

I got asked this question last night. I investigated only to find that as far as a simple spam filter is concerned – They are 100% correctly formatted and sent emails. Typical protections like SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), designed to protect people from impersonating domains, were set up correctly and passing for the domain in question (vtlaud.com).

Phishing Email Example

Suspicion

Looks legitimate but there’s a couple of giveaways. The whole message is an image (cannot select text), and there’s a suspicious looking attachment. Firstly, the music note in the file name and secondly the .mp3 extension, with the icon for the Microsoft Edge browser instead of my media player. While the music note is a valid character, there’s no benefit to including it.

Upon saving the file, Explorer confirmed the type of file as a Microsoft Edge HTML Document. Meaning that if I was to double click to open, it would open in my browser, showing me some sort of web page instead of playing any voicemail message. Interestingly enough, lmth is html backwards.

Copying and pasting this filename into a handy web tool revealed the truth. The character U+2020E is a “Right-to-Left Override”. This makes Windows display the text after it in right-to-left instead of English’s typical left-to-right reading order.

File Name Example
Looks like an MP3 file, but is it?
Decoded File Name
No, it’s really a html file.
Windows Defender Detection

Windows Defender on Windows 11 detects the file as malicious but let’s find out what it looks like if we were to fall for the attack.

Falling For It

Opening the file in a safe environment leads to a Microsoft Login page, with an email address already helpfully pre-filled!

Login Page Screenshot
Hmmmm. Should I log in?
Source code in notepad
The source code is obfuscated. Let’s find out what secrets it holds.
Bad source code

On submission of the fake login form, this page sends your data to a URL that is clearly not Microsoft. I’ve hidden the URL for safety. The DNS filtering service we provide to customers blocks this URL so anyone using our Managed IT Services with security would have had this attack prevented.

Once you’ve submitted the form, the page also redirects to a legitimate voicemail message, making you believe you successfully logged in and a caller had left you a useless and confusing message. The message doesn’t even contain a name or call-back number.

Conclusion

This kind of attack is quite common and shows how easily you can fall into a trap. Anti-Virus on its own is no longer a viable security measure as only 9/56 tested detected this file as malicious. Measures like a DNS Filter, Multi-Factor Authentication and staff security training are all a part of the arsenal. Nothing is perfect, but the more layers in your defence, the less likely you will run into trouble.

Contact us or use the form at the bottom of the page to request a call-back to discuss services we can provide to help prevent attacks like these.

Valid Example

For clients on our Phone System this is what your voicemail messages will look like when in your inbox:

Example of CCP voicemail message

Most Recent:

Random Pick: