Hackers Abusing MS Dynamics 365 Customer Voice to Steal Credentials

Check Point Software company Avanan has shared details of how hackers are trying to abuse Dynamics 365 Customer Voice in their recent findings.

According to Avanan’s research, threat actors abuse authentic-looking links from Microsoft notifications to deliver credential-stealing pages. The attackers send malicious emails disguised as survey feature from Dynamic 365, notifying the victim about a new voicemail message. There’s another email that contains a legit customer voice link from Microsoft. 

However, when an unsuspected victim clicks on Play Voicemail, they are redirected to a phishing link of a page that looks exactly like a Microsoft login page. Since the Customer Voice Link is legit, scanners pass the email as legit. It all begins with the Play Voicemail button, as this button redirects to a phishing link.

What is Dynamics 365 Customer Voice, and how is it Abused?

For your information, Dynamics 365 Customer Voice is a product of Microsoft designed to get customers’ feedback. It is used for customer satisfaction surveys, tracking their feedback, and aggregating data to devise workable solutions. Furthermore, it is used to interact with customers by phone, and the data is mainly collected to get customer input.

In this attack, threat actors try to steal customer data instead of using this feature for customer feedback. Avanan researchers revealed that hackers use the Static Expressway to reach end-users. This technique leverages legitimate sites to bypass security scanners because the links are from trusted sources, so scanners cannot detect their maliciousness.

In their blog post, Avanan researchers suggest employing necessary best practices when clicking on any link. Be very suspicious of any incoming email asking you to click on a link to check voicemails.

This is a particularly tricky attack because the phishing link doesn’t appear until the final step. Users are first directed to a legitimate page–so hovering over the URL in the email body won’t provide protection. In this case, it would be important to remind users to look at all URLs, even when they are not in an email body.

Jeremy Fuchs – Avanan

Related News

1. Zoom Phishing Scam Steals Microsoft Exchange Credentials
2. Microsoft warns of phishing attack abusing open redirect links
3. Scammers Leveraging Microsoft Team GIFs in Phishing Attacks
4. Microsoft MSHTML flaw used in Gmail and Instagram phishing scam
5. Microsoft, PayPal & Facebook most targeted brands in phishing scams