Microsoft customer feedback tool hijacked to send phishing emails
>
Cyber criminals are trying to trick Microsoft Dynamics 365 Customer Voice users by giving away their credentials with a devious new phishing campaign, experts warn.
A report from Avanan revealed that threat actors would send an email notification via Dynamics 365 Customer Voice, stating that the customer had left a voice message. Because the email itself looks a lot like an important customer voicemail and the link is legitimate, clicking it is “the natural step,” the researchers said.
Dynamics 365 Customer Voice is Microsoft’s customer relationship management (CRM) tool that companies use to research customers, monitor and organize customer feedback, and turn feedback data into actionable insights. In addition, businesses can use it to communicate with their customers over the phone. The data generated by these interactions is stored and that is what scammers are trying to exploit.
No one is blocking Microsoft
But the “Play Voicemail” button actually redirects victims to a phishing landing page that looks almost identical to a Microsoft login page. When users try to log in, their credentials (opens in new tab) into the hands of the fraudsters.
“Hackers are constantly using what we call The Static Expressway to reach end users,” the researchers explain. “Basically, it’s a technique that uses legitimate sites to get past security scanners. The logic is this: security services can’t completely block Microsoft – it would be impossible to get any work done. Instead, these links from trusted sources are usually trusted automatically. That has created an opportunity for hackers to insert themselves.”
The method of misusing legitimate services to spread malicious messages has been gaining a lot of popularity lately, the researchers added, saying they have misused Facebook, PayPal, QuckBooks and others for this purpose.
“It’s incredibly difficult for security forces to figure out what’s real and what’s behind the legitimate link. In addition, many services see a known good link and do not scan it by default. Why scan something good? That’s what hackers hope for,” they say.
The attack is relatively sophisticated because the actual phishing link does not appear before the last step. “It would be important to remind users to look at all URLs, even if they are not in the body of an email,” they warn.