Microsoft customer feedback tool hijacked to send phishing emails

ID theft
(Image credit: Shutterstock)

Cybercriminals are trying to trick Microsoft Dynamics 365 Customer Voice users into giving away their login credentials with a devious new phishing campaign, experts have warned,

A report from Avanan has revealed threat actors would send out a notification email through Dynamics 365 Customer Voice, which states that the customer had left a voice message. With the email itself looking a lot like an important voicemail from the customer, and the link being legitimate, clicking on it is “the natural step”, the researchers said.

Dynamics 365 Customer Voice is Microsoft’s customer relationship management (CRM) tool that businesses use to survey customers, monitor and organize customer feedback, and turn feedback data into actionable insights. What’s more, businesses can use it to interact with their customers via phone. The data generated through these interactions is stored, which is what crooks are trying to leverage.

No one blocks Microsoft

But the “Play Voicemail” button actually redirects the victims to a phishing landing page that looks almost identical to a login page from Microsoft. Should users try to log in, their credentials would end up in the hands of the fraudsters. 

“Hackers continually use what we call The Static Expressway to reach end-users,” the researchers explain. “In short, it’s a technique that leverages legitimate sites to get past security scanners. The logic is this: Security services can’t outright block Microsoft–it would be impossible to get any work done. Instead, these links from trusted sources tend to be automatically trusted. That has created an avenue for hackers to insert themselves.”

The method of abusing legitimate services to distribute malicious messages is gaining a lot of traction lately, the researchers added, saying they’ve seen Facebook, PayPal, QuckBooks, and others, abused for this purpose.

“It is incredibly difficult for security services to suss out what is real and what is nested behind the legitimate link. Plus, many services see a known good link and, by default, don’t scan it. Why scan something good? That’s what hackers are hoping for,” they say. 

The attack is relatively sophisticated due to the fact that the actual phishing link doesn’t appear before the final step. “It would be important to remind users to look at all URLs, even when they are not in an email body,” they warn.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.