Security researchers are warning of a new phishing campaign that abuses Microsoft Dynamics 365 Customer Voice to trick recipients into handing over their credentials.
Dynamics 365 Customer Voice is a “feedback management” tool from Microsoft designed to make it easier for companies to collect, analyze and track in real time customers’ perception of their products and services.
One feature allows customers to interact and leave feedback via the phone. However, threat actors are spoofing voicemail notifications to link to credential harvesting pages, according to Avanan.
Emails arrive in the victim’s inbox sent from the survey feature in Dynamics 365, claiming the user has received a voicemail.
“This is a legitimate Customer Voice link from Microsoft. Because the link is legit, scanners will think that this email is legitimate. However, when clicking upon the ‘Play Voicemail’ button, hackers have more tricks up their sleeves,” the security vendor explained.
“Once you click on the voicemail link, you are redirected to a look-alike Microsoft login page. This is where the threat actors steal your username and password. The URL is different from a typical Microsoft landing page.”
This campaign is the latest in a long line leveraging what Avanan describes as the “static expressway” – the practice of hackers abusing legitimate sites that are on the static allow-lists used by security tools – in order to direct malicious content towards users.
“It is incredibly difficult for security services to suss out what is real and what is nested behind the legitimate link. Plus, many services see a known good link and, by default, don’t scan it. Why scan something good? That’s what hackers are hoping for,” Avanan concluded.
“This is a particularly tricky attack because the phishing link doesn’t appear until the final step. Users are first directed to a legitimate page – so hovering over the URL in the email body won’t provide protection. In this case, it would be important to remind users to look at all URLs, even when they are not in an email body.”
Previous scams using a similar “static expressway” technique include those abusing Google Docs and Drive, as well as Facebook, QuickBooks and PayPal.