Perception Point » News » Operation Uncle Scam – AI-Powered Phishing Attack Steals Microsoft Dynamics 365 Credentials

August 15, 2024

Operation Uncle Scam – AI-Powered Phishing Attack Steals Microsoft Dynamics 365 Credentials

Security researchers at Perception Point have uncovered a sophisticated phishing campaign, dubbed “Uncle Scam.” In this AI-powered campaign, threat actors impersonate U.S. government agencies to send fraudulent tender invitations to numerous American enterprises.

The attackers employ advanced techniques, including interactive kits and large language models (LLMs), to create highly convincing phishing emails.

The phishing operation begins with an email purportedly from the General Services Administration (GSA), inviting recipients to bid on a federal project.

The email contains a link that redirects users to a spoofed GSA website, designed to closely mimic the legitimate site. This fake site includes navigation links and search options that lead to actual GSA pages, enhancing its credibility and making it challenging for users to identify the deception.

Upon clicking the “Register For RFQ” button, users encounter a CAPTCHA page, a tactic used by attackers to evade detection by automated security tools. Once users submit their details, the attackers successfully harvest their credentials.

The phishing site is nearly identical to the legitimate site, assuaging visitors of its supposed authenticity.

The attackers have also incorporated a detailed pop-up message that walks users through how to register for the RFQ, requiring multiple clicks to reach the fake login site.

According to the Perception Point report shared with Cyber Security News, “Upon clicking the link, the user is redirected to a spoofed GSA page, complete with a domain mimicking (gsa-gov-dol-procurement-notice(.)procure-rfq(.)online) the legitimate GSA domain (www.gsa.gov). The phishing site is nearly identical to the legitimate site, assuaging visitors of its supposed authenticity.”

This behavior not only enhances the site’s credibility but also makes it more difficult for users to realize they are on a malicious site.

Abuse of Microsoft’s Dynamics 365 Marketing Platform

A notable aspect of this campaign is the abuse of Microsoft’s Dynamics 365 Marketing platform. Attackers leverage the domain dyn365mktg.com to create subdomains and send malicious emails.

This domain’s association with Microsoft allows phishing emails to bypass spam filters and reach inboxes, increasing the campaign’s effectiveness.

This domain is pre-authenticated by Microsoft, complying with DKIM and SPF standards, which ensures that emails from this domain are more likely to bypass spam filters and land directly in inboxes.

This pre-authentication and association with Microsoft contribute to high deliverability, making phishing emails sent from dyn365mktg(.)com less likely to be flagged as spam.

Additionally, the domain’s built-in credibility, stemming from its link to a trusted marketing platform, makes emails from this domain appear more legitimate, increasing the effectiveness of phishing campaigns.

Perception Point researchers identified two variations of the phishing campaign, both crafted with the help of LLMs. These models enable attackers to generate sophisticated and contextually accurate emails at scale. The emails impersonate different U.S. government departments, maintaining a professional tone and incorporating department-specific details.

Protection Measures

To protect against such sophisticated phishing attacks, organizations are advised to:

Double-check the Sender’s Email: Scrutinize the sender’s email address for legitimacy.
Hover Before You Click: Hover over links to verify the actual URL.
Look for Errors: Be vigilant for grammatical mistakes or unusual phrasing.
Leverage Advanced Detection Tools: Use AI-powered, multi-layered security solutions.
Educate Your Team: Train employees to recognize phishing emails and verify unsolicited communications.
Trust Your Instincts: Be cautious of offers that seem too good to be true and verify their authenticity through trusted channels.

This article first appeared in Cyber Security News, written by Balagi N on August 13, 2024.

Don't miss out on any industry updates.

Sign up for our newsletter!

TALK TO SALES

Ready to Try
Perception Point?

Learn More

NIS 2 Directive: Key Facts Every Organization Needs to Know

Discover how the NIS 2 Directive will impact businesses across the EU, with stricter reporting requirements, expanded scope, and significant penalties. Learn how Perception Point helps organizations ensure compliance.

You Don’t Need an Agent to Secure Your Browser

Securing the browser has become more critical than ever, leading to the rise of browser security solutions. These solutions enhance the browser’s security capabilities, offering protection against phishing, malware, risky extensions, and more.

Quishing 2.0: QR Code Phishing Evolves with Two-Step Attacks and SharePoint Abuse

In a new quishing campaign discovered by Perception Point’s security research team, threat actors took QR code phishing to a whole new level.

From Threats to Trends: Highlights from Perception Point’s H1 2024 Report

Cybersecurity is a constant cat-and-mouse game, with threat actors always refining their tactics to create more sophisticated and complex attacks, pushing defenses to evolve (ideally) even more quickly.

Rewriting Hysteria: Rising Abuse of URL Rewriting in Phishing

In recent months, threat actors have discovered a troubling new method to exploit URL rewriting, a feature intended to protect users by replacing links in emails. By manipulating these rewritten URLs, attackers mask highly evasive phishing links behind trusted domains of security vendors, effectively bypassing detection. This abuse has led to a critical surge in advanced phishing attacks that leverage the very tools developed to prevent them.