Leveraging Microsoft Dynamics 365 Customer Voice for credential harvesting.

Avanan released a blog today, detailing attempts by hackers to abuse Dynamics 365 Customer Voice, a Microsoft product used to gain feedback from customers.

Legitimate-appearing links go to credential-harvesting pages.

Threat actors were found to be using legitimate-looking links from Microsoft notifications in order to send credential harvesting pages. One of the malicious emails looks like it’s from the survey feature from Dynamics 365: it informs the victim that a new voicemail has been received. Another email provides a legitimate Customer Voice link from Microsoft, but when “Play Voicemail” is clicked, which redirects to a phishing link of a lookalike Microsoft login page. The malice is all in the button. As Avanan explains:

“This is a legitimate Customer Voice link from Microsoft. Because the link is legit, scanners will think that this email is legitimate. However, when clicking upon the “Play Voicemail” button, hackers have more tricks up their sleeves. The intent of the email is not in the voicemail itself; rather, it is to click on the “Play Voicemail” button, which redirects to a phishing link.”

Advice: be properly suspicious of emails.

Avanan recommends best practices when dealing with hackers. They recommend always hovering over all URLs, even not in the email body; to ensure that when receiving an email with a voicemail that it is a normal email before engaging; and asking the original sender if you’re unsure of the origins of an email.

Added, 1:00 PM, November 4th, 2022.

Paul Bischoff, privacy advocate with Comparitech, added lessons users should draw from the incident:

“This attack demonstrates why it's important to never click on unsolicited links or attachments. Even though the original link is a legitimate Microsoft URL, it directs users to a phishing page. If you insist on clicking on a link, be sure to keep an eye on the URL in your browser, which might differ from the URL displayed by the link after a redirect. Note that even if a website has "https" in its URL, it is not necessarily safe. A majority of phishing sites now have valid SSL certificates that allow them to use https. Instead, you must check the spelling of the domain name.”

Chris Hauk, consumer privacy champion at Pixel Privacy, noted the particular dangers this attack technique poses for organizations.

“The bad actors of the world continue to innovate when it comes to phishing links. The method used in this phishing attack is particularly dangerous, because the attack uses legitimate links from Microsoft that eventually lead to the phishing link after the user has been lulled into a false sense of security. Following this method, the bad guys make it difficult for organizations to properly educate their employees and executives.”