The Information Security Office (ISO) is seeing a rise in spear phishing attacks utilizing some or all of the following characteristics:
- A Subject title such as “Hi <username>, you have 1 VN on <date>. Refer below to listen” accompanied by an HTM or HTML file attachment to the email. If the attachment is opened, it may direct to a spoofed sign-in page under the control of the attacker in an attempt to solicit the victim to input and expose their UNC credential. Some characteristics of a spoofed sign-in page include
- The address does not start with sso.unc.edu or login.microsoftonline.com
- The address bar does not include a solid padlock icon indicating the web certificate is verified
- The From field is spoofed to appear to be sent from the recipient’s email (i.e., the From and To fields are identical).
Always use caution when handling email file attachments, particularly when the sender is unusual or unexpected. HTM and HTML email attachments for legitimate purposes are rare; cyber criminals are increasingly using this method to work around our defenses and deliver malware or redirect to compromised authentication capture portals.
If you use the voicemail to email feature with your UNC departmental phone, the article GET TO KNOW YOUR NEW PHONE: VOICEMAIL TO EMAIL describes the expected user experience. A few relevant takeaways:
- The voicemail will be a WAV format audio file attachment to the email
- The WAV file should open in a media player app. It should not redirect to an alternate website and/or request additional authentication.
- The email will be sent from an address that ends in @att.com
- Voicemail to email should not be used if you conduct any business involving University Sensitive Information over the phone. University email, including voicemail to email, is discoverable and can be subject to a public records request.
What should I do if I receive a suspicious message?
Our 8/2022 notice on Fake Job Scam Emails and the help.unc.edu article Recognizing and Reporting Fraudulent Emails provide detailed tips for handling Phishing. Specifically:
- If you receive such a message in your Inbox, use the Report Message > Phising option in the Outlook ribbon. This will automatically quarantine the message in your Junk Email folder and alert the ISO so we can further evaluate the threat. Ultimately this can reduce the likelihood that other community members are affected by emerging Phishing threats.
- If you believe you may have inadvertently exposed your credentials through a spoofed or compromised authentication portal, visit https://onyen.unc.edu and reset your password as soon as possible. If feasible, this should be done from a device other than the one where you interacted with the Phising email.
- Do not approve any unexpected Multifactor authentication (MFA) prompts.
- If you believe University Sensitive Information may be at risk, immediately follow the Incident Management Procedure by contacting 919-962-HELP (4357).