Phishing Alert: Sophisticated Voicemail Scam Targeting Legal Sector

A new phishing campaign is kicking Halloween off with a not so friendly treat... Our security partner, Blackpoint Cyber, has issued an urgent alert about a highly targeted and sophisticated attack aimed at legal professionals. This campaign uses fake voicemail emails to trick recipients into executing malicious code, potentially compromising sensitive client data and entire networks.

🎯 Who’s Being Targeted?

This attack is specifically aimed at the legal sector, where staff often handle privileged case information. However, the techniques used could easily be repurposed to target other industries. If your organization deals with sensitive data or has a complex network environment, you should consider this a serious threat.

📩 How the Attack Works

The phishing email claims to contain an expired voicemail and urges the recipient to download a file. Here’s the breakdown of the attack chain:

1. User downloads a .bat file (batch-based dropper).
2. The dropper runs a Visual Basic Script (.vbs).
3. The script invokes PowerShell (.ps1) with execution policy bypass.
4. The payload performs:
   • Local and domain reconnaissance
   • Active Directory enumeration
   • Trust mapping
   • Network session inspection
5. It establishes command-and-control (C2) communication with attacker infrastructure.

This is not commodity malware, it’s a deliberate intrusion path designed for long-term access and lateral movement across your network.

🧠 What to Watch For

If you or your team receive emails with voicemail attachments or suspicious ZIP files, do not open them. Here are some known indicators of compromise (IOCs):

File IOCs

• 121192298.zip
• 148399969.zip
• mountc.bat
• eikrw.bat
• ~398930815.ps1
• ~997924198.b.php

Network IOCs

• 134.195.90[.]207 (C2)
• gttglobal[.]com (Staging)
• *.trycloudflare[.]com (Staging domains)

🛡️ What You Should Do

If you think you’ve received one of these emails or clicked on a suspicious link:

1. Disconnect from the network immediately.
2. Contact your IT team or security provider.
3. Do not attempt to investigate or remediate on your own.

Preventative Steps:

• Educate your team on phishing tactics and how to spot suspicious emails.
• Disable script execution where possible (e.g., PowerShell, VBScript).
• Implement advanced endpoint protection that goes beyond traditional antivirus.
• Use email filtering and sandboxing to catch malicious attachments.
• Partner with a security provider that offers 24/7 monitoring and response.

🔐 Staying Ahead of Modern Threats

This campaign highlights the importance of modern, layered security. Traditional antivirus and EDR tools may not catch these advanced techniques. That’s why we work with partners like Blackpoint Cyber to provide real-time threat detection and response.

If you’re unsure about your current security posture or want to learn more about hardening your defenses, reach out to our team. We’re here to help you stay protected in an evolving threat landscape.

Questions or concerns?
Contact us directly, 941-315-2380, or email our support team with URGENT in the title @ support@fourwindsit.com.