In a widespread campaign, threat actors use a compromised Dynamics 365 Customer Voice business account and a link posing as a survey to steal Microsoft 365 credentials.
An elaborate and rather unusual phishing campaign is spoofing eFax notifications and using a compromised Dynamics 365 Customer Voice business account to lure victims into giving up their credentials via microsoft.com pages.
Threat actors have hit dozens of companies through the broadly disseminated campaign, which is targeting Microsoft 365 users from a diverse range of sectors — including energy, financial services, commercial real estate, food, manufacturing, and even furniture-making, researchers from the Cofense Phishing Defense Center (PDC) revealed in a blog post published Wednesday.
The campaign uses a combination of common and unusual tactics to lure users into clicking on a page that appears to lead them to a customer feedback survey for an eFax service, but instead steals their credentials.
Attackers impersonate not only eFax but also Microsoft by using content hosted on multiple microsoft.com pages in several stages of the multistage effort. The scam is one of a number of phishing campaigns that Cofense has observed since spring that use a similar tactic, says Joseph Gallop, intelligence analysis manager at Cofense.
“In April of this year, we began to see a significant volume of phishing emails using embedded ncv.microsoft.com survey links of the sort used in this campaign,” he tells Dark Reading.
Combination of Tactics
The phishing emails use a conventional lure, claiming the recipient has received a 10-page corporate eFax that demands his or her attention. But things diverge from the beaten path after that, Cofense PDC’s Nathaniel Sagibanda explained in the Wednesday post.
The recipient most likely will open the message expecting it’s related to a document that needs a signature. “However, that isn’t what we see as you read the message body,” he wrote.
Instead, the email includes what seems like an attached, unnamed PDF file that’s been delivered from a fax that does include an actual file — an unusual feature of a phishing email, according to Gallop.
“While a lot of credential phishing campaigns use links to hosted files, and some use attachments, it’s less common to see an embedded link posing as an attachment,” he wrote.
The plot thickens even further down in the message, which contains a footer indicating that it was a survey site — such as those used to provide customer feedback — that generated the message, according to the post.
Mimicking a Customer Survey
When users click the link, they are directed to a convincing imitation of an eFax solution page rendered by a Microsoft Dynamics 365 page that’s been compromised by attackers, researchers said.
This page includes a link to another page, which appears to lead to a Microsoft Customer Voice survey to provide feedback on the eFax service, but instead takes victims to a Microsoft login page that exfiltrates their credentials.
To further enhance legitimacy on this page, the threat actor went so far as to embed a video of eFax solutions for spoofed service details, instructing the user to contact “@eFaxdynamic365” with any inquiries, researchers said.
The “Submit” button at the bottom of the page also serves as additional confirmation that the threat actor used a real Microsoft Customer Voice feedback form template in the scam, they added.
The attackers then modified the template with “spurious eFax information to entice the recipient into clicking the link,” which leads to a faux Microsoft login page that sends their credentials to an external URL hosted by attackers, Sagibanda wrote.
Fooling a Trained Eye
While the original campaigns were much simpler — including only minimal information hosted on the Microsoft survey — the eFax spoofing campaign goes further to bolster the campaign’s legitimacy, Gallop says.
Its combination of multistage tactics and dual impersonation may allow messages to slip through secure email gateways as well as fool even the savviest of corporate users who’ve been trained to spot phishing scams, he notes.
“Only the users that continue to check the URL bar at each stage throughout the entire process would be certain to identify this as a phishing attempt,” Gallop says.
Indeed, a survey by cybersecurity firm Vade also released Wednesday found that brand impersonation continues to be the top tool that phishers use to dupe victims into clicking on malicious emails.
In fact, attackers took on the persona of Microsoft most often in campaigns observed in the first half of 2022, researchers found, though Facebook remains the most impersonated brand in phishing campaigns observed so far this year.
Phishing Game Remains Strong
