By: Jeremy Fuchs, Cybersecurity Researcher/Analyst at Avanan, A Check Point Software Company
Dynamics 365 Customer Voice is a Microsoft product that is used primarily to gain feedback from customers.
It can be used for customer satisfaction surveys, to track customer feedback and to aggregate data into actionable insights.
It can also be used to interact with customers via phone, with the data being collected for more customer input.
It is here where hackers have taken notice.
Instead of using this for customer feedback, hackers are trying to steal customer information.
In this attack brief, researchers at Avanan, a Check Point Software Company, will discuss how hackers are using Microsoft’s Dynamic 365 Customer Voice to send phishing links.
Attack
In this attack, hackers are using spoofed scanner notifications to send malicious files. Avanan has seen hundreds of these attacks in the last few weeks.
- Vector: Email
- Type: Credential Harvesting
- Techniques: Social Engineering, Impersonation
- Target: Any end-user
Email Example #1
This email comes from the survey feature in Dynamics 365. Interestingly, you’ll notice the sending address has “Forms Pro” in it, which is the old name of the survey feature. The email shows that a new voicemail has been received. To the end user, this looks like a voicemail from a customer, which would be important to listen to. Clicking on it is the natural step.
Email Example #2
This is a legitimate Customer Voice link from Microsoft. Because the link is legit, scanners will think that this email is legitimate. However, when clicking upon the “Play Voicemail” button, hackers have more tricks up their sleeves. The intent of the email is not in the voicemail itself; rather, it is to click on the “Play Voicemail” button, which redirects to a phishing link.
Email Example #3
Once you click on the voicemail link, you are redirected to a look-alike Microsoft login page. This is where the threat actors steal your username and password. Notice the URL is different from a typical Microsoft landing page.
Techniques
Hackers continually use what we call The Static Expressway to reach end-users. In short, it’s a technique that leverages legitimate sites to get past security scanners. The logic is this: Security services can’t outright block Microsoft–it would be impossible to get any work done. Instead, these links from trusted sources tend to be automatically trusted. That has created an avenue for hackers to insert themselves.
We’ve seen this a lot recently, whether it’s Facebook, PayPal, QuickBooks or more. It is incredibly difficult for security services to suss out what is real and what is nested behind the legitimate link. Plus, many services see a known good link and, by default, don’t scan it. Why scan something good? That’s what hackers are hoping for.
This is a particularly tricky attack because the phishing link doesn’t appear until the final step. Users are first directed to a legitimate page–so hovering over the URL in the email body won’t provide protection. In this case, it would be important to remind users to look at all URLs, even when they are not in an email body.
These attacks are incredibly difficult to stop for scanners and even harder for users to identify.
Best Practices: Guidance and Recommendations
To guard against these attacks, security professionals can do the following:
- Always hover all URLs, even those not in the email body
- When receiving an email with a voicemail, ensure this is a typical type of email received before thinking of engaging
- If ever unsure about an email, ask the original sender