Avanan researchers discuss a new variation of a phishing attack that utilizes Microsoft Customer Voice for credential harvesting.
Phishing on the Static Expressway.
Avanan, a Check Point Software Company, released a blog this morning detailing a new variation of an attack leveraging Dynamics 365 Customer Voice to bypass security scanners in a technique known as the Static Expressway.
About the attack.
This is a new variation of an attack Avanan reported in November 2022, with the same core structure. Hackers use Microsoft Customer Voice to send a notification to the end user appearing to be from the service, when in actuality a malicious phishing link is on the site. This variation does not send a notification of a voicemail like the November version did, rather, an email is sent appearing to be a fax shared on SharePoint said to contain “particularly sensitive or confidential information.” If the end user clicks on the link in the email, they’ll land on a page with a link to preview or print the document, which leads to a legitimate Customer Voice URL. Linked in the “CLICK HERE TO PRINT” button is what appears to be a OneDrive login screen, but in reality is a credential harvesting page.
Techniques used.
The reception of what is said to contain sensitive and confidential information, with a link that allegedly expires in 14 days, displays the reliance by these threat actors on a sense of urgency as a tactic. This attack also leverages the Static Expressway, using the legitimacy of Microsoft’s Customer Voice service to bypass security.