How a vishing attack spoofed Microsoft to try to gain remote access

A voice phishing campaign spotted by Armorblox tried to convince people to give the attackers access to their computer.

Phone call from unknown number late at night. Scam, fraud or phishing with smartphone concept. Prank caller, scammer or stranger. Man answering to incoming call.

Image: Tero Vesalainen, Getty Images/iStockphoto

A standard phishing attack typically involves sending people an email or text message spoofing a known company, brand or product in an attempt to install malware or steal sensitive information. But a variation called vishing (voice phishing) adds another element, in which the cybercriminals speak with their victims directly by phone or leave fraudulent voice messages. A blog post published Thursday by security firm Armorblox describes a scam in which attackers tried to impersonate Microsoft Defender to coax potential victims to grant them remote access.

SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)  

More about cybersecurity

This particular campaign started with phony order receipts for a Microsoft Defender subscription sent via two different emails. Each of the two messages included a phone number to call for any issues related to order returns. Calling one of the numbers triggered the vishing attack in which the criminal instructed the victim to install a program to give them remote access to the person’s computer.

Sent from a Gmail account, the initial emails used a sender name of “Microsoft Online Store” and a subject line of “Order Confirmation No” followed by a long invoice number. The emails borrowed the look and layout of actual emails from Microsoft and even included information on a subscription for Microsoft Defender Advanced Protection that supposedly was ordered by the recipient.

The emails asked the person to contact customer care representatives for more information about the order, including toll-free numbers to call. Since the order was fake, anyone receiving a message like this would naturally be concerned about getting charged for an item they never purchased.

Researchers from Armorblox called both numbers listed in the two emails. One number just rang with no one ever picking up. But the other number was answered by a real person who called himself Sam. Requesting the invoice number listed in the email, “Sam” said that the only way to get a refund was by filling out an information form. To assist the user in this process, Sam suggested installing AnyDesk, a program that provides access to remote PCs.

After the Armorblox folks asked one too many questions, Sam seemed to get suspicious and ended the call. But the intent was clear. The attackers wanted to get victims to install AnyDesk, through which they could then remotely access the person’s PC through Microsoft’s Remote Desktop Protocol. The goal may have been to install malware or ransomware, steal login credentials or grab confidential information.

An attack like this uses several tactics to appear convincing and bypass standard security protection. The emails tried to convey a sense of trust, as it appears to come from Microsoft. They aimed to create a sense of urgency by claiming that the recipient ordered a subscription for something that they obviously didn’t order. The emails didn’t include any links or clearly malicious content that might otherwise prevent it from getting through to someone’s inbox. Further, the emails came from a legitimate Gmail account, allowing them to pass any authentication checks.

To help protect yourself and your organization from these types of vishing scams, Armorblox offers several helpful tips:

  1. Supplement your native email security. The initial emails described by Armorblox snuck past the Google Workspace email security. For better protection, enhance your built-in email security with additional layers that use more advanced techniques. Gartner’s Market Guide for Email Security discusses new methods that vendors introduced in 2020.
  2. Look out for social engineering cues. With email overload, it’s easy to be fooled by a malicious email that appears legitimate at first glance. Instead, you need to engage with such emails in a methodical way. Inspect the sender’s name, email address and the language used within the email. Check for any inconsistencies in the message leading you to ask yourself such questions as: “Why is a Microsoft email being sent from a Gmail account?” and “Why are there no links in the email, even in the footer?”
  3. Resist sharing sensitive information over the phone. Be wary of any unsolicited caller who asks for sensitive information or tells you to download something over the phone. If you feel the phone call is a scam, simply hang up. If the person provides a call-back number, don’t call it. Instead, search the company’s website for a customer service number and call that one.
  4. Follow password best practices. To protect your online accounts, don’t reuse your passwords, avoid passwords that tie into your date of birth or other personal events, don’t use generic passwords and rely on a password manager to create and maintain complex passwords. Further, set up multi-factor authentication (MFA) on your business and personal accounts wherever possible.

Also see