NCSC-CH: active Microsoft 365 "voicemail" phishing wave in Switzerland delivers infostealers and harvests M365 credentials

Switzerland's National Cyber Security Centre reported a higher-than-usual volume of a dual-path Microsoft 365 / OneDrive-for-Business phishing campaign in its Week 25 review (NCSC-CH, 2026-06-23). In the malware-delivery variant the email carries a ZIP "audio" attachment that, when run, installs an infostealer harvesting browser credentials, session cookies and wallet data; in the credential-harvest variant a fake Microsoft login page with a simulated audio player ("Play voicemail as guest") captures the M365 username and password. NCSC-CH notes that a compromised mailbox is then used to read live business email and run chain-phishing and BEC fraud from a recognised sender replying inside an existing thread (T1114.003, T1098), and that stolen credentials are frequently resold and resurface in targeted follow-up attacks weeks later. Why it matters to us: Swiss public-sector staff are direct recipients. The discriminator is mechanical — legitimate voicemail notifications deliver .wav/.mp3, never a ZIP. Phishing-resistant MFA (FIDO2 / certificate-based Conditional Access) defeats the credential-theft path even when the lure succeeds; hunt M365 audit logs for inbox-rule and forwarding-rule creation within minutes of a sign-in from a new country/ASN.