ctipilot.ch

Home · Live brief · Daily brief 2026-06-25

NCSC-CH: active Microsoft 365 "voicemail" phishing wave in Switzerland delivers infostealers and harvests M365 credentials

high threat discovered 2026-06-25 04:59 UTC single-source · national CERT

Entities: NCSC-CH

Part of run 2026-06-25-da7fbd23 (intel · Claude Opus 4.8 (1M context))

Switzerland's National Cyber Security Centre reported a higher-than-usual volume of a dual-path Microsoft 365 / OneDrive-for-Business phishing campaign in its Week 25 review (NCSC-CH, 2026-06-23). In the malware-delivery variant the email carries a ZIP "audio" attachment that, when run, installs an infostealer harvesting browser credentials, session cookies and wallet data; in the credential-harvest variant a fake Microsoft login page with a simulated audio player ("Play voicemail as guest") captures the M365 username and password. NCSC-CH notes that a compromised mailbox is then used to read live business email and run chain-phishing and BEC fraud from a recognised sender replying inside an existing thread (T1114.003, T1098), and that stolen credentials are frequently resold and resurface in targeted follow-up attacks weeks later. Why it matters to us: Swiss public-sector staff are direct recipients. The discriminator is mechanical — legitimate voicemail notifications deliver .wav/.mp3, never a ZIP. Phishing-resistant MFA (FIDO2 / certificate-based Conditional Access) defeats the credential-theft path even when the lure succeeds; hunt M365 audit logs for inbox-rule and forwarding-rule creation within minutes of a sign-in from a new country/ASN.

“In one version of the scam, the attackers try to trick the victim into running malware. The email has a compressed file attached to it, for example a ZIP file called 'audio_Y6CEKNH8OE.zip'.” — NCSC-CH

“Stolen Microsoft 365 login details give attackers access to emails, OneDrive, SharePoint and Teams... The compromised mailbox is then often used to send phishing emails to all of the victim's contacts ('chain phishing').” — NCSC-CH

phishing infostealer identity eu-nexus switzerland