Threat actors abuse a compromised Microsoft Dynamics 365 Customer Voice account to send spoofed eFax notifications and lure recipients into credential phishing. The campaign spreads broadly across sectors by leveraging a legitimate service to host a fake eFax/Customer Voice page that collects credentials and exfiltrates them to an external URL. #eFaxdynamic365 #CustomerVoice #MicrosoftDynamics365 #CredentialPhishing #Cofense
Keypoints
- The phishing operation uses a compromised Microsoft Dynamics 365 Customer Voice account to distribute the attack.
- Emails claim the recipient has a “10-page corporate eFax” to entice engagement and prompt action.
- The link directs to a Customer Voice survey page that mimics an eFax solution, with the URL confirming a Microsoft Dynamics 365 page.
- The page includes embedded eFax content and a “Submit” action that leads to a Microsoft Login page designed to harvest credentials.
- The campaign appears broad and non-targeted, affecting dozens of companies across multiple industries.
- The actor leverages a legitimate service template to obscure the attack and bypass some protections.
MITRE Techniques
- [T1566.002] Spearphishing Link – The attacker sends a spoofed eFax notification via a compromised Dynamics 365 Customer Voice account and lures recipients to a credential-harvesting page. ‘When the user clicks the link, they are directed to the Customer Voice survey made to look like an eFax solution page with a reasonable layout…’
- [T1566.003] Spearphishing via Service – The phishing content is built on a real Microsoft Customer Voice feedback form template “generated from a survey site” and modified with spurious eFax information to entice clicking. ‘the threat actor uses a real Microsoft Customer Voice feedback form template and modified it with spurious eFax information to entice the recipient into clicking the link’
- [T1078] Valid Accounts – The campaign is described as being “sent using a compromised account” on a known platform, enabling widespread distribution. ‘This phishing campaign may follow a well-known pattern, sent using a compromised account, for a well-known customer feedback platform’
- [T1567.002] Exfiltration to Web Service – Credentials are captured via a fake login page and exfiltrated to an external URL. ‘which then exfiltrates their credentials to an external URL.’
- [T1036] Masquerading – The page uses Microsoft Dynamics 365 branding and terms like “dynamic365” and “eFaxdynamic365” to appear legitimate. ‘uses the words “dynamic365” and “eFaxdynamic365”’
Indicators of Compromise
- [IP] context – 13.107.213.40, 13.107.246.40
- [Domain] context – ncv.microsoft.com, flat-grass-5595.fo4ih28x.workers.dev, customervoice.microsoft.com, jaqeuhyimhbi.diskstation.org
- [URL] context – https://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=nCCZRTFE60iThCT0-CyieVKNxvcj-eRNqzjVwMLt3aRUOTk5MVFaVTVWWVhCWlZSTVdENFcwUTFXRS4u&vt=4599209c-4431-48eb-9384-24f4f82ca279_f3160b43-dee8-41a8-baa7-ee24dfe7d977_637957430290000000_NAM_Hash_VhCr4kw%2bu%2b9Bs4OXTHvEBa9jcvcs3Iiq4GIiWXPncAI%3d&lang=en-us, and https://flat-grass-5595.fo4ih28x.workers.dev/
- [URL] context – https://ncv.microsoft.com/Om5CjXwiLj