Heimdal
article featured image

Contents:

First off, what are consumer satisfaction surveys?

Consumer satisfaction surveys, also known as CSAT surveys, are questionnaires that businesses use to learn how satisfied their clients are with their branding, goods, services, or customer support. They are frequently used by businesses to track customer feedback and compile data to develop practical solutions. Unfortunately, threat actors have uncovered hackers exploiting the survey feature of Microsoft Dynamics 365 Customer Voice to steal customer data. 

The Attack

Microsoft Dynamics 365 is an enterprise resource planning (ERP) and customer relationship management (CRM) application suite from Microsoft. Customer Voice is one of these applications, and it collects customer data and feedback through surveys, phone calls, and other means.

The attackers set up Microsoft Dynamics 365 Customer Voice accounts and used them to send phishing emails claiming that recipients had received a voicemail. 

More exactly: 

  • They targeted end users with Dynamics 365 phishing emails that used social engineering and impersonation techniques.
  • In the emails, the sender’s address included the old name of the survey feature (Forms Pro).
  • The email body contained a legitimate Microsoft Customer Voice link to give the impression of legitimacy, while the next section concealed the cruel trick.
  • The email tricked users into clicking the Play Voicemail button and redirected them to a spoof Microsoft login page, where the threat actors stole their usernames and passwords.

“To the end user, this appears to be a voicemail from a customer that should be listened to. “Clicking on it is the natural step,” Jeremy Fuchs, an Avanan cybersecurity researcher, explains.

Unfortunately, clicking on the “Play Voicemail” button on this page leads to a spoofed Microsoft login page. However, in this case, users noticed that the URL of the phishing page has nothing to do with Microsoft.

How Did It Work?

Three reasons: 

  1. Hackers frequently use what we refer to as The Static Expressway to reach end users. In a nutshell, it’s a technique that uses legitimate websites to avoid detection by security scanners.
  2. The critical point is that security services cannot wholly prevent links from trusted sources from being trusted.
  3. Finally, this technique deceives users until the final step, redirecting them to malicious pages.

Paul Bischoff, a Comparitech privacy advocate, also shared his thoughts on the threat:

He indicated that this attack exemplifies the importance of never clicking on unsolicited links or attachments. Even though the original link is a genuine Microsoft URL, it directs users to a phishing page. If you must click on a link, keep an eye on the URL in your browser, which may differ from the URL displayed by the link following a redirect. 

It is important to note that even if a website has “HTTPS” in its URL, it is not necessarily secure. The vast majority of phishing sites now have valid SSL certificates, allowing them to use HTTPS. Instead, double-check the domain name’s spelling.

A Comparable Story

Cofense researchers discovered threat actors sending spoofed eFax notifications using a compromised Dynamic 365 Customer Voice business account in August.

While not as convincing or credible as the recent campaign, these credential phishing emails were difficult to detect and could bypass SEGs to reach users’ inboxes.

Conclusion

When it comes to phishing links, the world’s bad actors never stop innovating. This phishing attack is scary because it uses legitimate Microsoft links that eventually lead to the phishing link after the user has been lulled into a false sense of security.

Organizations cannot afford to block legitimate websites like Microsoft Dynamics, so such an attack provides a better avenue for hackers to penetrate target networks. Users should be wary of any incoming email that asks the recipient to click on a link.

If you enjoyed this article and want to learn more about cybersecurity, follow us on LinkedIn, Twitter, Facebook, YouTube, or Instagram to stay up to date on everything we post!

Author Profile

Gabriella Antal

SMM & Corporate Communications Officer

linkedin icon

Gabriella is the Social Media Manager and Cybersecurity Communications Officer at Heimdal®, where she orchestrates the strategy and content creation for the company's social media channels. Her contributions amplify the brand's voice and foster a strong, engaging online community. Outside work, you can find her exploring the outdoors with her dog.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE