An elaborate and rather unusual phishing campaign is spoofing eFax notifications and using a compromised Dynamics 365 Customer Voice business account to lure victims into giving up their credentials via microsoft.com pages.
Threat actors have hit dozens of companies through the broadly disseminated campaign, which is targeting Microsoft 365 users from a diverse range of sectors — including energy, financial services, commercial real estate, food, manufacturing, and even furniture-making, researchers from the Cofense Phishing Defense Center (PDC) revealed in a blog post published Wednesday.
The campaign uses a combination of common and unusual tactics to lure users into clicking on a page that appears to lead them to a customer feedback survey for an eFax service, but instead steals their credentials.
Attackers impersonate not only eFax but also Microsoft by using content hosted on multiple microsoft.com pages in several stages of the multistage effort. The scam is one of a number of phishing campaigns that Cofense has observed since spring that use a similar tactic, says Joseph Gallop, intelligence analysis manager at Cofense.
“In April of this year, we began to see a significant volume of phishing emails using embedded ncv[.]microsoft[.]com survey links of the sort used in this campaign,” he tells Dark Reading.
Combination of Tactics
The phishing emails use a conventional lure, claiming the recipient has received a 10-page corporate eFax that demands his or her attention. But things diverge from the beaten path after that, Cofense PDC's Nathaniel Sagibanda explained in the Wednesday post.
The recipient most likely will open the message expecting it's related to a document that needs a signature. "However, that isn't what we see as you read the message body," he wrote.
Instead, the email includes what seems like an attached, unnamed PDF file that's been delivered from a fax that does include an actual file — an unusual feature of a phishing email, according to Gallop.
"While a lot of credential phishing campaigns use links to hosted files, and some use attachments, it's less common to see an embedded link posing as an attachment," he wrote.
The plot thickens even further down in the message, which contains a footer indicating that it was a survey site — such as those used to provide customer feedback — that generated the message, according to the post.
Mimicking a Customer Survey
When users click the link, they are directed to a convincing imitation of an eFax solution page rendered by a Microsoft Dynamics 365 page that's been compromised by attackers, researchers said.
This page includes a link to another page, which appears to lead to a Microsoft Customer Voice survey to provide feedback on the eFax service, but instead takes victims to a Microsoft login page that exfiltrates their credentials.
To further enhance legitimacy on this page, the threat actor went so far as to embed a video of eFax solutions for spoofed service details, instructing the user to contact "@eFaxdynamic365" with any inquiries, researchers said.
The "Submit" button at the bottom of the page also serves as additional confirmation that the threat actor used a real Microsoft Customer Voice feedback form template in the scam, they added.
The attackers then modified the template with "spurious eFax information to entice the recipient into clicking the link," which leads to a faux Microsoft login page that sends their credentials to an external URL hosted by attackers, Sagibanda wrote.
Fooling a Trained Eye
While the original campaigns were much simpler — including only minimal information hosted on the Microsoft survey — the eFax spoofing campaign goes further to bolster the campaign’s legitimacy, Gallop says.
Its combination of multistage tactics and dual impersonation may allow messages to slip through secure email gateways as well as fool even the savviest of corporate users who’ve been trained to spot phishing scams, he notes.
"Only the users that continue to check the URL bar at each stage throughout the entire process would be certain to identify this as a phishing attempt," Gallop says.
Indeed, a survey by cybersecurity firm Vade also released Wednesday found that brand impersonation continues to be the top tool that phishers use to dupe victims into clicking on malicious emails.
In fact, attackers took on the persona of Microsoft most often in campaigns observed in the first half of 2022, researchers found, though Facebook remains the most impersonated brand in phishing campaigns observed so far this year.
Phishing Game Remains Strong
Researchers at this time have not identified who might be behind the scam, nor attackers' specific motives for stealing credentials, Gallop says.
Phishing overall remains one of the easiest and most oft-used ways for threat actors to compromise victims, not only to steal credentials but also spread malicious software, as email-borne malware is significantly easier to distribute than remote attacks, according to the Vade report.
Indeed, this type of attack saw month-over-month increases through the second quarter of the year and then another boost in June that pushed "emails back to the alarming volumes not seen since January 2022," when Vade saw upwards of 100-plus million phishing emails in distribution.
"The relative ease with which hackers can deliver punishing cyberattacks via email makes email one of the top vectors for attack and a constant menace for businesses and end users," Vade's Natalie Petitto wrote in the report. "Phishing emails impersonate the brands you trust the most, offering a wide net of potential victims and a cloak of legitimacy for the phishers masquerading as brands."