Companies often use customer satisfaction surveys to track their feedback and aggregate data to devise workable solutions. In a recent campaign, threat actors discovered cybercriminals abusing Microsoft Dynamics 365 Customer Voice’s survey feature to steal customer data.
How is it abused?
According to recent findings by Avanan researchers, hackers are using legit-looking links from Microsoft notifications to deliver credential-stealing pages in hundreds of attacks.
- They are sending Dynamics 365 phishing emails using social engineering and impersonation techniques to target end users.
- The sender’s address carries the old name of the survey feature (Forms Pro) in the emails. The email body contains a legitimate Customer Voice link from Microsoft, just to create an impression of legitimacy, while the next part hides the malicious trick.
- The mail tricks the users into clicking the Play Voicemail button, which further redirects them to a lookalike Microsoft login page and the threat actors steal usernames and passwords.
Why does it work?
- Hackers are using the Static Expressway technique to leverage legitimate sites to get past security scanners.
- The key point is that security services can’t outright block links from trusted sources tend to be automatically trusted.
- This technique tricks the users until the final step and redirects them to malicious pages.
A similar campaign
- In August, Cofense researchers found threat actors were sending spoofed eFax notifications using a compromised Dynamic 365 Customer Voice business account.
- While these credential phishing emails were not as convincing or credible as the recent campaign, it was difficult to block and capable of bypassing SEGs to reach users’ inboxes.
Conclusion
Attackers leverage new Static Expressway phishing email techniques, which abuses legitimate websites. Ideally, organizations cannot afford to block genuine websites such as Microsoft Dynamics, and therefore such attack provides a better avenue for hackers to penetrate to target networks. Users should be vigilant and suspicious of any incoming email asking the recipient to click on a link.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/6446_shutterstock_610902740.jpeg)
/https://cyware-ent.s3.amazonaws.com/image_bank/80ce_shutterstock_85467826.jpg)
