Tens of thousands of victims have been tricked into clicking on an email claiming to contain a WhatsApp voicemail message, according to researchers.
A team at Armorblox has already detected close to 28,000 mailboxes impacted across Google Workspace and Microsoft 365.
The email in question is titled “New Incoming Voicemessage,” with the body text spoofed to appear as if a private message has been sent via WhatsApp to the recipient.
Clicking “Play” in the email will redirect the victim to a web page that attempts to install the JS/Kryptik Trojan, obfuscated JavaScript that tries to redirect the browser to a specific URL and trigger an exploit, Armorblox said.
“Once the target landed on the malicious webpage, he or she was prompted to confirm they ‘are not a robot,’” it continued.
“If the target clicked ‘allow’ on the popup notification in the URL a malicious payload could potentially be installed as a Windows application through a browser ad service, in order to bypass User Account Control. Once the malware was installed it can steal sensitive information like credentials that are stored within the browser.”
The email was sent from a valid Russian domain, “mailman.cbddmo.ru,” which is associated with an organization known as the Center for Traffic Safety of the Moscow Region, a part of the Russian Ministry of Internal Affairs.
That enabled it to bypass Google and Microsoft anti-phishing security, although it’s not currently known how the threat actors managed to exploit the domain, the researchers claimed.
The campaign may also have been timed to coincide with a series of new updates released by WhatsApp late last week designed to improve the user experience.
Armorblox said victim organizations came from the healthcare, education and retail sectors.
It urged corporate security teams to enhance cloud-native email security with third-party tools, improve education and awareness efforts and follow multi-factor authentication and password management best practices.