Phishing on the Static Expressway.
N2K logoJan 12, 2023

Avanan researchers discuss a new variation of a phishing attack that utilizes Microsoft Customer Voice for credential harvesting.

Phishing on the Static Expressway.

Avanan, a Check Point Software Company, released a blog this morning detailing a new variation of an attack leveraging Dynamics 365 Customer Voice to bypass security scanners in a technique known as the Static Expressway.

About the attack.

This is a new variation of an attack Avanan reported in November 2022, with the same core structure. Hackers use Microsoft Customer Voice to send a notification to the end user appearing to be from the service, when in actuality a malicious phishing link is on the site. This variation does not send a notification of a voicemail like the November version did, rather, an email is sent appearing to be a fax shared on SharePoint said to contain “particularly sensitive or confidential information.” If the end user clicks on the link in the email, they’ll land on a page with a link to preview or print the document, which leads to a legitimate Customer Voice URL. Linked in the “CLICK HERE TO PRINT” button is what appears to be a OneDrive login screen, but in reality is a credential harvesting page.

Techniques used.

The reception of what is said to contain sensitive and confidential information, with a link that allegedly expires in 14 days, displays the reliance by these threat actors on a sense of urgency as a tactic. This attack also leverages the Static Expressway, using the legitimacy of Microsoft’s Customer Voice service to bypass security.