Compromised Microsoft Dynamic 365 Customer Voice account used for Phishing attack
By Nathaniel Sagibanda, Cofense Phishing Defense Center
Customer feedback is always important for organizations of all sizes. There are several well-known companies that offer different kinds of feedback tools. But what if, however, those customer feedback systems were utilized to launch Phishing attacks? The Phishing Defense Center (PDC) has observed an interesting technique in which a threat actor sends a spoofed eFax notification using a compromised Dynamic 365 Customer Voice business account to lure the recipient into credential phishing.
These credential phishing emails have been broadly disseminated, with no specific industry targeted. The campaign has hit dozens of companies in multiple sectors, including energy, financial services, commercial real estate, food manufacturing, furniture, data analytics, and professional services.”
The phishing email, as seen in figure 1, claims the recipient has received a “10-page corporate eFax”, which is a familiar tactic to lure interaction with the email. There are several interesting clues in this email that most likely encourage the recipient to quickly report. Starting at the top of the email with subject, which doesn’t seem to align with the rest of the email. The recipient most likely opened message expecting see a message related to a document signature need. However, that isn’t what we see as you read the message body. It leads the recipient to believe they received file attached via the ‘Attachment File Type: pdf’, without an actual file name 🤷🏻♀️, delivered from the fax. Continuing further down the email, we see a footer that indicates this email was generated from a survey site.
|Indicators of Compromise||IP|
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.