In a recent campaign, researchers discovered a group of threat actors that exploited the Microsoft Dynamics 365 Customer Voice’s survey feature to steal customer information. Companies that commonly use customer satisfaction surveys to review their feedback and collect data to develop work-related solutions are the most affected by this campaign.
Based on reports, the threat actors use authentic-looking links from Microsoft notifications to distribute their credential-steaking pages in numerous cybercriminal activities. The notifications are Dynamics 365 phishing emails that target recipients using social engineering tactics and impersonation strategies.
The actors could obfuscate their identity by displaying the sender’s address that contains the old name of the survey feature called “Forms Pro” in the emails. The body of the email includes an authentic Customer Voice link from Microsoft, making the recipients think it is a legitimate file. However, the email also contains a hidden malicious trick.
The email deceives users into accessing the Play Voicemail button, redirecting them to a similar-looking Microsoft login page. Subsequently, the threat actors could steal user credentials, such as usernames and passwords, if the recipient is deceived by the phishing email.
Furthermore, the hackers use the Static Expressway methods to exploit legitimate sites to bypass security scanners and other cybersecurity solutions. The primary purpose of the process is to obfuscate the links so the security service cannot quickly block them from trustworthy sources.
This phishing strategy deceives the users until the final steal will redirect them to malicious pages that could exfiltrate their data.
Microsoft Dynamics 356 was also used for attacks last August.
A similar attack was also spotted by researchers last August, where the threat actors sent spoofed eFax notifications through an infected Microsoft Dynamics 365 Customer Voice account. Despite the credential phishing emails’ unsophistication, the security defenders still found blocking the attempts challenging.
The new Static Expressway phishing email tactic has enabled actors to abuse legitimate websites. Currently, organisations cannot afford to stop genuine websites such as Microsoft Dynamics; hence, such a campaign gives a better avenue for threat actors to access a targeted network.
Experts noted that entities utilising Microsoft Dynamics should be vigilant of incoming emails asking recipients to click a link, which could lead them to phishing websites.
