A phishing campaign which impersonates WhatsApp's voice message feature has been spreading information-stealing malware.
The attack starts with an email claiming to be from WhatsApp. The email contains a creation date and clip duration from the "supposed" message, and a play button. The email will look something like one of the two below.
So far, over 28,000 Microsoft 365 and Google Workspace inboxes have been impacted by this.
Clicking the link/play button in the email will redirect the user to a web page that attempts to install the JS/Kryptik Trojan.
Once the malware is installed it can steal sensitive information, such as banking details or other credentials stored in the browser.
The reason this email has gotten through to so many people is that the attackers have successfully exploited a Russian domain, which enabled the email to bypass spam filters.
Something to keep in mind, is that just because the email looks like it comes from a legitimate sender, it doesn't mean that the email is safe. All email links should be treated as suspicious, especially if you are not expecting the email.
While there are a few signs that this is a scam, these attacks rely on people missing the signs. They might perhaps be waiting for important news from a friend or relative on WhatsApp that could well be delivered by a voice message.
What's important to remember, is that if you have a WhatsApp voice message, it will always appear in the app. WhatsApp don't send external alerts for text or voice messages.
If you are the victim of this scam, or indeed any other type of online crime, ensure you report this to Action Fraud immediately - you can report online at www.actionfraud.police.uk or by calling 0300 123 2040.