Researchers are warning of a new phishing campaign that abuses Microsoft Dynamics 365 Customer Voice to trick recipients into handing over their credentials. Dynamics 365 Customer Voice is a “feedback management” tool from Microsoft designed to make it easier for companies to collect, analyze and track in real time customers’ perception of their products and services. One feature allows customers to interact and leave feedback via the phone. However, threat actors are spoofing voicemail notifications to link to credential harvesting pages.
Paul Bischoff, privacy advocate with Comparitech shared his insights on the threat:
“This attack demonstrates why it's important to never click on unsolicited links or attachments. Even though the original link is a legitimate Microsoft URL, it directs users to a phishing page. If you insist on clicking on a link, be sure to keep an eye on the URL in your browser, which might differ from the URL displayed by the link after a redirect. Note that even if a website has "https" in its URL, it is not necessarily safe. A majority of phishing sites now have valid SSL certificates that allow them to use https. Instead, you must check the spelling of the domain name.”
Chris Hauk, consumer privacy champion at Pixel Privacy weighed in:
“The bad actors of the world continue to innovate when it comes to phishing links. The method used in this phishing attack is particularly dangerous, because the attack uses legitimate links from Microsoft that eventually lead to the phishing link after the user has been lulled into a false sense of security. Following this method, the bad guys make it difficult for organizations to properly educate their employees and executives.”
###