Phishing Links are Sent Via Microsoft Customer Voice

Dynamics 365 Customer Voice is a Microsoft product that is used primarily to gain feedback from customers and can be used for customer satisfaction surveys, to track customer feedback and to aggregate data into actionable insights. It can also be used to interact with customers via phone, with the data being collected for more customer input. As this provides insights into customer data and content, this is also where hackers have taken notice as instead of using this for customer feedback, hackers are trying to steal customer information.

In India where an organization is being attacked on average 1742 times per week in the last 6 months, compared to 1167 attacks per organization globally and where 70% of the malicious files in India were delivered via email in the last 30 days, this new means of phishing is one to take note of.

In Check Point Software’s recent Q3 Brand Phishing Report, it was revealed that Microsoft was the second top brand ranked by their overall appearance in brand phishing attempts, bringing proof to the point of phishing attempts on Microsoft software.

In this attack brief, researchers at Avanan, a Check Point Software Company discuss how hackers are using Microsoft’s Dynamic 365 Customer Voice to send phishing links.

In this attack, hackers are using spoofed scanner notifications to send malicious files. Avanan has seen hundreds of these attacks in the last few weeks. According to the study

· The Vector is Email

· Type is Credential Harvesting

· The Techniques are Social Engineering, Impersonation

· And the Target are Any end-user

Hackers continually use what we call The Static Expressway to reach end-users. In short, it’s a technique that leverages legitimate sites to get past security scanners. The logic is: Security services can’t outright block Microsoft–it would be impossible to get any work done. Instead, these links from trusted sources tend to be automatically trusted. That has created an avenue for hackers to insert themselves.

As per the researcher, they have observed this type of attacks, whether it’s Facebook, PayPal, QuickBooks or more. It is incredibly difficult for security services to suss out what is real and what is nested behind the legitimate link. Plus, many services see a known good link and, by default, don’t scan it. Why scan something good? That’s what hackers are hoping for.

This is particularly a tricky attack because the phishing link doesn’t appear until the final step. Users are first directed to a legitimate page–so hovering over the URL in the email body won’t provide protection. In this case, it would be important to remind users to look at all URLs, even when they are not in an email body. These attacks are incredibly difficult to stop for scanners and even harder for users to identify.

Dr. Deepak Kumar Sahu, President & CEO, VARINDIA