Someone is trying to steal people’s Microsoft 365 and Outlook credentials by sending them phishing emails disguised as voicemail notifications.

These emails were detected in May and are ongoing, according to researchers at Zscaler’s ThreatLabz, and are similar to a phishing campaign launched a couple of years ago.

This latest wave is aimed at US entities in a broad array of sectors, including software security, security solution providers, the military, healthcare and pharmaceuticals, and the manufacturing and shipping supply chain, the researchers wrote this month.

Zscaler has a front-row seat in this campaign; it was one of the targeted organizations.

“Voicemail-themed phishing campaigns continue to be a successful social engineering technique for attackers since they are able to lure the victims to open the email attachments,” the biz’s Sudeep Singh and Rohit Hegde wrote. “This combined with the usage of evasion tactics to bypass automated URL analysis solutions helps the threat actor achieve better success in stealing the users’ credentials.”

The attack starts with an email that tells the targeted user they have a voicemail waiting for them that is contained in an attachment. If the user opens the attachment, they are redirected to a credential-phishing site: a page masquerading as a legit Microsoft sign-in page. The mark is supposed to login to complete the download of the voicemail recording, but in fact will end up handing over their username and password to criminals.

The “from” field of the email is crafted to include the name of the recipient’s company so that it looks at least a little convincing at first glance. JavaScript code in the HTML attachment runs when opened, and takes the user to a page with a URL that has a consistent format: it includes the name of the targeted entity and a domain hijacked or used by the…