Phishing schemes are constantly advancing, utilizing genuine platforms and services to trick unwary targets. A strategy highlighted by recent research from ANY.RUN involves the exploitation of Microsoft Dynamics 365.
Let’s delve into how malicious actors manipulate this reliable service, the tactics they utilize, and how tools such as ANY.RUN can aid in detecting and mitigating these risks.
The Exploitation of Microsoft Dynamics 365
Within Microsoft Dynamics 365, there exists a functionality that permits users to craft forms with integrated links. These forms are extensively used in enterprises for surveys, feedback collection, and engaging with customers, rendering them a trustworthy tool in the perception of most users.
Unfortunately, cybercriminals capitalize on this trustworthiness to generate phishing links that appear authentic but redirect victims into elaborate traps.
Due to these phishing URLs being housed on reputable domains (e.g., customervoice.microsoft.com), users frequently interact with them without much suspicion. Consequently, sensitive information like login credentials, financial details, or personal data is filched without alerting the victim.
An Actual Instance of Phishing in Progress
The ANY.RUN research team recently scrutinized a phishing campaign that abused Microsoft services to dupe users. The phishing link, masked as a legitimate Microsoft URL, enticed victims to access a non-existent PDF file hosted on a trusted domain.
To explore how the link operates securely, let’s utilize ANY.RUN’s interactive sandbox environment. This secure configuration unveils the true nature of the malicious link and the risks it poses: View the analysis session.
Upon accessing the link in the sandbox, a red flag becomes apparent. The sandbox indicates the initiation of the phishing attack during the analysis session.
Without this form of interactive examination, uncovering the malicious intent behind such a convincing link would have posed a challenge. The URL itself, based on the reputable domain customervoice.microsoft.com, seems authentic enough to avert suspicion.
During this analysis session, we observe that the link presents a notification alleging the receipt of a PDF file, urging users to click on a button labeled “Access Document Here” to view it.
Upon clicking, the button directs users to a fraudulent site masquerading as a Microsoft login page. This false site demands Microsoft account credentials, aiming to gather sensitive details.
The ANY.RUN sandbox also raised a flag on the phishing endeavor using Suricata regulations, furnishing added affirmation of the link’s malicious nature.
Uncover Further Malicious Links Using TI Lookup
By employing ANY.RUN’s Threat Intelligence (TI) Lookup, you can pinpoint numerous phishing campaigns utilizing the identical domain, customervoice.microsoft.com, to deceive unwary users.
Experiment with this query to uncover more instances and IOCs tied to this strategy: 
Conduct a TI Lookup Query
Analyze and Probe Threats Using ANY.RUN
Phishing attacks may boast sophistication, but they’re not immune. ANY.RUN furnishes utilities for entailing real-time analysis of malware and phishing risks, enabling enterprises to identify and confront cybercriminals more efficiently.
Equipped with features like secluded analysis modes, comprehensive threat intelligence reports, and the capacity to scrutinize malicious URLs, ANY.RUN empowers you to proactively combat threats.
The article Criminals Exploit Microsoft Dynamics 365 to Pilfer User Credentials was first posted on Cyber Security News.