HomeTechHackers exploiting Microsoft’s customer feedback tool by sending phishing links: Report

Hackers exploiting Microsoft’s customer feedback tool by sending phishing links: Report

Researchers at Avanan, a Check Point Software Company, have reported that hackers are using Microsoft’s Dynamic 365 Customer Voice to send phishing links.
Dynamics 365 Customer Voice is a Microsoft product that is used primarily to gain feedback from customers and can be used for customer satisfaction surveys, to track customer feedback and to aggregate data into actionable insights. It can also be used to interact with customers via phone, with the data being collected for more customer input.
As this provides insights into customer data and content, this is also where hackers have taken notice as instead of using this for customer feedback, hackers are trying to steal customer information.
In Check Point Software’s recent Q3 Brand Phishing Report, it was revealed that Microsoft was the second top brand ranked by its overall appearance in brand phishing attempts.
Phishing attack via Microsoft’s Dynamics 365 Customer Voice
In this attack, hackers are using spoofed scanner notifications to send malicious files. Avanan claims to have seen hundreds of these attacks in the last few weeks.
· Vector: Email
· Type: Credential Harvesting
· Techniques: Social Engineering, Impersonation
· Target: Any end-user
Email example #1
https://lh5.googleusercontent.com/MLENNDyChQvc7Oc1y2qTyTPLhjLjQevDLcK0GHWP57A1EBHHa3w-UPBeG2zgA5ZLqQVva4zyb3vQKsa_wDlPxGKtAnEThNFwbVUeg7Nwc8oN5HdIyRUgdL_GmwQ4oY1oMlB2ETANF97HefkkV79lN1c502CzEywlHeq7xtK4HnjV5yF3k2ptgVgDJQ
This email comes from the survey feature in Dynamics 365. Interestingly, you’ll notice the sending address has “Forms Pro” in it, which is the old name of the survey feature. The email shows that a new voicemail has been received. To the end user, this looks like a voicemail from a customer, which would be important to listen to. Clicking on it is a natural step, which must be avoided.
Email example #2
https://lh5.googleusercontent.com/FpbPVQmQhFpMxQEPkF-3CXz569eL0X5AIJCwdXvJeTnmfa1svqqvfggRDVuJaLUs99H6mLEsvSf1e9fNGFMJ-l-2siW4buQ_bL5k82VrGAimcokUvX49YhwGqPLbC8RWE-kmtoJAcOs5XQgBcGAhpBRMc1i0BopVUonBHF-lDYj0SqLQ-K0qMh80vQ
This is a legitimate Customer Voice link from Microsoft. Because the link is legit, scanners will think that this email is legitimate. However, when clicking upon the “Play Voicemail” button, hackers have more tricks up their sleeves. The intent of the email is not in the voicemail itself; rather, it is to click on the “Play Voicemail” button, which redirects to a phishing link.
Email example #3
https://lh6.googleusercontent.com/J137Lv0zRJmPRZUGuBoHSc6gSdEEt1gYixJaans_yLK-xEG2FdhmwCEj7xJauXGg-Jq5s62L-BTkP6DUroxZ07LgGShrAq4_73eWi09vePvPdYr5m4cHL2P4bSdrwrnnc_xCpfhCahmqNXLDyibXdBMD3-y4t_IBp5GY33y0zsA2uafcx3_EVH__vg
Once you click on the voicemail link, you are redirected to a look-alike Microsoft login page. This is where the threat actors steal your username and password. Notice the URL is different from a typical Microsoft landing page.
The phishing attack techniques
Hackers continually use what the researchers call The Static Expressway to reach end-users. In short, it’s a technique that leverages legitimate sites to get past security scanners. The logic is this: Security services can’t outright block Microsoft–it would be impossible to get any work done. Instead, these links from trusted sources tend to be automatically trusted. That has created an avenue for hackers to insert themselves.
The researchers claim to have seen this a lot recently, whether it’s on Facebook, PayPal, QuickBooks or more. It is incredibly difficult for security services to suss out what is real and what is nested behind the legitimate link. Plus, many services see a known good link and, by default, don’t scan it. Why scan something good? That’s what hackers are hoping for.
This is a particularly tricky attack because the phishing link doesn’t appear until the final step. Users are first directed to a legitimate page–so hovering over the URL in the email body won’t provide protection. In this case, it would be important to remind users to look at all URLs, even when they are not in an email body.
These attacks are incredibly difficult to stop for scanners and even harder for users to identify, say researchers.
How to guard against these attacks
To guard against these attacks, security professionals can do the following:

  • Always hover over all URLs, even those not in the email body

  • When receiving an email with a voicemail, ensure this is a typical type of email received before thinking of engaging

  • If ever unsure about an email, ask the original sender

Source link

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Spiritual Temple