By Milo Salvia and Kamlesh Patel
The Cofense Phishing Defense CenterTM has observed a phishing campaign that masquerades as a voicemail message from a well-known company. The goal is to steal your domain credentials by mimicking the Outlook Web App (OWA).
The message body is designed to mimic your typical VOIP “missed call” message delivered via email when a user misses a call. A simple HTML box appears with a blue hyperlink, Play Voice. One would assume it was meant to say Play Message or Play Voice Message. This could indicate that English is not the threat actor’s first language and the original message was mistranslated. It’s the first indicator that something is not quite right about this message.
Fig 1. Email Body
Message body in HTML:
If you look at the message body in HTML, you can see that the embedded hyperlink redirects to “www[.]lkjhyb[.]com_dg[.]php=”. As you can tell, the URL has been wrapped by a URL filtering service.
<Div align=”center” style=”text-align: center;”>
<a href=”hxxps://urldefenseproofpointcom/v2/url?u=hxxps-3A__wwwlkjhybcom_dgphp=“>Play Voice</a></div>
Fig 2. Email Body in Plain Text
A closer look at the header information reveals that the threat originates from the domain “protogonay.com.” Further research into this domain suggests that it could be a throwaway domain—no company or website can be found that is directly linked to the name
“ext-caller108progonaycom.” The threat source itself uses “ext-caller108” to add legitimacy to the voicemail ruse.
** From: Voice Ext <ext-caller108progonaycom>
Subject: Voice call from ******* (39 seconds)
Date: Wed, 22 May 2019 08:23:33 -0700
Message-ID: <[email protected]>
Content-Type: text/html; charset=”iso-8859-1″
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-05-22_08:,,
X-Proofpoint-Spam-Details: rule=notspam policy=default score=1 priorityscore=1501 malwarescore=0
suspectscore=2 phishscore=0 bulkscore=0 spamscore=1 clxscore=-94
lowpriorityscore=0 mlxscore=1 impostorscore=0 mlxlogscore=206 adultscore=0
Fig 3. Email Headers
Once the user clicks on the “Play Voice (sic)” hyperlink, it redirects to what looks like the default corporate Outlook Web App (OWA) login page. This page is designed to steal your O365 domain credentials. As we can see, it asks the victim to supply domain/username: and password.
Fig 4. Phishing Page
This threat was found in an environment running Proofpoint Email Gateway and URL filter.
Threat actors pull out the stops to deliver malicious messages to users’ inboxes. This “voice mail” message is yet another creative example. Learn more about how Cofense stops evolving phishing attacks here.
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.