- Researchers spotted a new phishing campaign, abusing Dynamics 365 Customer Voice
- Microsoft’s tool has more than 500,000 users
- Many of the users are Fortune 500 companies
Researchers from Check Point have discovered a new phishing campaign, abusing a legitimate Microsoft product in an attempt to steal people’s login credentials.
In a new blog post, published earlier this May, the researchers said that the unnamed attackers would send phishing emails from previously compromised accounts, and would include fake Dynamics 365 Customer Voice links.
Dynamics 365 Customer Voice is a tool designed to help businesses collect, analyze, and act on customer feedback in real time. It includes things like voice recordings, customer reviews monitoring, surveys, and similar. According to Check Point, the threat landscape is vast and quite potent, since it is used by at least 500,000 Organizations, including 97% of Fortune 500 companies.
Thousands of targets
The topics of the emails are financially focused, the researchers added. Subject lines usually revolve around settlement statements, ALTA, EFT payment info, or closing disclosures. In one example, the researchers would add a link leading to the malicious landing page, right next to a legitimate link. The malicious link first takes the victims to a CAPTCHA page, after which they are redirected to a credential harvesting page.
Check Point also said that the attackers are able to capture MFA codes as well, although they didn’t explain exactly how it is being done.
So far, the attackers managed to send more than 3,000 emails, targeting at least a million different inboxes. These belong to more than 350 organizations, the researcher said, hinting that this has already turned into a large, dangerous campaign.
Victims are mostly “well-established community betterment groups, colleges and universities, news outlets, a prominent health information group, and organizations that promote arts and culture.”
Unfortunately, it is impossible to tell how many login credentials the miscreants managed to obtain so far. Apparently, Microsoft blocked some of the phishing pages already.
