New Veeam Themed Phishing Attack Using Weaponized Wav File to Attack users

A sophisticated phishing campaign targeting organizations has emerged, exploiting the trusted reputation of Veeam Software through weaponized WAV audio files delivered via email.

The attack represents an evolution in social engineering tactics, combining traditional phishing techniques with audio-based deception to bypass conventional security measures and user awareness training.

The malicious campaign begins with seemingly legitimate voicemail notifications that mimic standard VoIP system alerts when calls are missed.

Attackers craft emails containing WAV file attachments that, when opened, play recordings of individuals impersonating Veeam Software representatives.

The audio message specifically references expired backup licenses, creating urgency around critical business infrastructure to prompt immediate action from recipients.

Internet Storm Center researchers identified this campaign after receiving reports from security professionals who encountered the suspicious emails.

The attack demonstrates particular sophistication in its use of audio social engineering, as voice-based deception can often bypass visual cues that typically alert users to phishing attempts.

The recorded message states: “Hi, this is xxxx from Veeam Software. I’m calling you today regarding your backup license which has expired this month. Would you please give me a call to discuss about it?”

Audio-Based Social Engineering Mechanism

The weaponized WAV files serve as the primary attack vector, leveraging psychological manipulation through auditory channels.

Unlike traditional text-based phishing, this approach exploits users’ tendency to trust voice communications, particularly when they appear to originate from legitimate software vendors.

The attackers demonstrate broad-spectrum targeting, as recipients included individuals with no connection to Veeam environments, indicating a mass distribution strategy rather than precise reconnaissance-based targeting.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now