A few months ago, we wrote about how hackers are utilizing Microsoft’s Dynamics 365 Customer Voice platform to send phishing links. In general, the attack works by sending a notification of a customer voicemail sent from the service; instead, a phishing link is hosted on the site and the user gets redirected to a malicious page.
This attack is a great example of The Static Expressway, a technique that leverages legitimate sites to get past security scanners.
Since we published that Attack Brief, we’ve seen a new variation of this attack that continues to leverage Microsoft Voice but has a different starting and ending point.
In this attack brief, researchers at Avanan, a Check Point Software Company, will discuss how hackers are changing up their tactics to send Microsoft Voice notifications to the end-user.
In this attack, hackers are sending notifications from Microsoft Customer Voice, with credential harvesting links embedded within the legitimate page.
- Vector: Email
- Type: Credential Harvesting
- Techniques: Social Engineering, Impersonation, Static Expressway
- Target: Any end-user
Email Example #1
This email campaign starts with what appears to be a new document sent from SharePoint. The document appears to be a fax notification. Interestingly, the message notes that the document contains “particularly sensitive or confidential information.” That increases the end-user sense of urgency in opening the document and, critically, their willingness to go through a bunch of clicks to get to the final step, which is what the hackers want them to do. Further, another sense of urgency is added by saying the link will expire in 14 days.
Email Example 2
When the user clicks on “Click Here to Print”, they are redirected to a legitimate Customer Voice page. Because the URL is legitimate, scanning the URL would reveal a safe page. However, what’s malicious is linked in “CLICK HERE TO PRINT”
Email Example 3
End-users are finally redirected to this OneDrive look-alike page. Users are encouraged to enter their email address, followed by their password. And credentials are stolen. Notice that this site is hosted in the same place as the previous attack we saw.
Hackers love to continue with successful attacks. Recently, we saw a similar attack using the Customer Voice platform from Microsoft. They’ve since, in this attack, gone on with this variation.
The attack is similar to the original one we wrote about; the only difference is the email body and the final destination.
In both cases, the attack leverages Customer Voice, using the legitimate link that it provides to fool security scanners. Security scanners see a legitimate link from a reputable source, in this case Microsoft. Because Microsoft tends to be a trusted source, it goes through to the inbox. Additionally, end-users see a Microsoft link and are more likely to trust it and click it.
Leveraging these attacks, by using The Static Expressway, is an effective way for hackers to fool security services and end-users. It’s why they continue to use these sorts of attacks on a regular basis, and it’s why they will continue to do so.
Best Practices: Guidance and Recommendations
To guard against these attacks, security professionals can do the following:
- Always hover all URLs before clicking
- Always double-check sender addresses
- Look at the logic of the full attack and notice if there are multiple websites used (the hackers use both SharePoint and OneDrive).