SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Avanan finds hackers exploiting Microsoft Dynamics 365 Customer Voice
Fri, 11th Nov 2022
FYI, this story is more than a year old

Researchers at Avanan, a Check Point Software Company, have shared some of the latest tactics hackers are deploying to take advantage of vulnerable consumers. 

The research found that Dynamics 365 Customer Voice, a Microsoft product primarily used to gain feedback from customers via satisfaction surveys, is being exploited by hackers as they use the program to send phishing links in an attempt to steal customer information.

Avanan says it has seen a dramatic increase in Dynamics 365 attacks in recent weeks, with hackers using spoofed scanner notifications to send malicious files. 

They are continually using what Avanan calls 'The Static Expressway' to reach end-users, which is a technique that leverages legitimate sites to get past security scanners. 

This opportunity has been created for hackers due to a lack of items being blocked from what are perceived as trusted Microsoft sources. 

Microsoft is not the only platform that Avanan has seen an increase in attacks. Other platforms, including Facebook, PayPal, and QuickBooks have all been subject to malicious work by threat actors.

Avanan says this attack is a particularly difficult one for consumers to detect, with the phishing link being used to exploit customers not appearing until the final step. 

Users are first directed to a legitimate page, meaning hovering over the URL in the email body won't trigger a protection response. The company says these attacks are very difficult to stop for scanners and even harder for users to identify.

Email examples come in three noticeable forms. The first comes from a survey feature and contains the old Forms Pro in it. It contains a voicemail from a customer that could be considered important, so clicking on it may be considered natural.

The second is a legitimate Customer Voice link from Microsoft. Because the link is actually legit, scanners will think that the email is also genuinely legitimate. However, when clicking upon the Play Voicemail button, hackers have more tricks up their sleeves. The intent of the email is not in the voicemail itself; rather, it is to click on the Play Voicemail button, which redirects to a phishing link.

The third example finds that once you click on the voicemail link, you are redirected to a look-alike Microsoft login page. This is where the threat actors steal your username and password. The URL is different from a typical Microsoft landing page. 

To help consumers best protect themselves from potential hacks, Avanan suggests that users always hover over all URLs, even those not featured in the body of the email. They also suggest that when receiving an email with a voicemail, users should determine if this is a typical email that would usually be received before engaging with its contents, and if there is any uncertainty, they should enquire with the original sender.