Microsoft OneNote Audio Note Phishing Campaign

A new phishing email campaign claims there is a new Microsoft OneNote Audio Notes message from one of the target’s contacts in their address book. The email contains a link that, if clicked, directs the target to a fraudulent OneNote Online webpage hosted on sharepoint[.]com and prompts the user to click on another link to listen to the audio message. If clicked, the target is redirected to another fraudulent sharepoint[.]com webpage that is currently disabled, but would prompt the target to enter their Microsoft login credentials. The email attempts to convince the user of its validity by using a subject line of “New Audio Note Received,” a footer stating the email was scanned by security software and is considered safe, and a phishing page hosted on sharepoint.com with a legitimate Microsoft certificate. The NJCCIC recommends users avoid clicking on links and opening attachments within unsolicited or unexpected emails, even those appearing to be from known senders. Users are advised to, instead, navigate to websites by manually typing the URL into the address bar of their browser. Microsoft login forms will be on microsoft.com, live.com, microsoftonline.com, and outlook.com domains only. If the user is uncertain of the email’s legitimacy, contact the sender via an alternate method. We advise users to refrain from responding to the email as this confirms delivery of the phishing email to the threat actor. Additionally, educating users about this and similar threats can reduce victimization. Additional details may be found in the BleepingComputer post.