Cybercriminals have been spotted performing a sneaky new phishing scam targeting contractors looking for work with the US government.

Researchers at Perception Point have revealed that the ‘Uncle Scam’ campaign bypasses security checks to send sophisticated phishing emails designed by LLMs to be extremely convincing.

The attackers use advanced tools, including AI-based phishing kits and the Microsoft Dynamics 365 platform, to execute convincing multi-step attacks.

uncle scam phishing
(Image credit: Perception Point)

Abuse of Microsoft Dynamics 365 and LLMs

The campaign begins with a phishing email that appears to come from a legitimate US government agency, such as the General Services Administration (GSA).

The email invites recipients to submit bids for federal projects, appearing to be legitimate tender notices. However, when the user clicks on the link in the email, he or she is redirected to a fake GSA website that closely resembles the real website.

The attackers have done everything they can to copy the official site, even including navigation links and a search bar that redirects users to genuine GSA pages. For reference, the legitimate GSA domain is www.gsa.gov, while the fraudulent domain may be in the form of “gsa-gov-dol-procurement-notice(.)procure-rfq(.)online”.

Once users land on the phishing site, they are asked to register for the RFQ (Request for Quotation) by providing their email address and other information. This extra step is not just for show, but is meant to make the phishing attempt more convincing and evade detection. The attackers further complicate matters by including a CAPTCHA page, making it more difficult for automated security tools to access the credential-gathering page.

Sign up to the Ny Breaking newsletter and receive the key news, opinion, features and advice your business needs to succeed!

(Image credit: Perception Point)

One of the key elements that makes this phishing campaign particularly effective is the abuse of Microsoft’s Dynamics 365 Marketing platform. The attackers are using the domain “dyn365mktg.com,” which is associated with Dynamics 365, to send their malicious emails. Because this domain is pre-verified by Microsoft and DKIM and SPF compliant, phishing emails are more likely to bypass spam filters and end up in the inboxes of unsuspecting recipients.

This built-in credibility, coupled with the high deliverability of emails from this domain, makes the phishing attempt appear legitimate and increases the chance of success. Using a trusted marketing platform like Dynamics 365 adds a layer of authenticity to the phishing emails, making them more convincing and harder to detect.

The “Uncle Scam” campaign also uses Large Language Models (LLMs) to craft phishing emails. These advanced models allow attackers to generate high-quality, contextually accurate phishing emails that mimic the tone and structure of legitimate communications. These emails are typically grammatically correct and have a professional tone as they integrate specific details from the impersonated departments.

The use of LLMs allows attackers to efficiently scale their phishing efforts. They can produce multiple versions of the same phishing email with slight differences. This scalability ensures that each email is unique, yet consistent in quality, making it harder for victims to spot the scam.

To prevent your organization from falling victim to advanced phishing attacks such as ‘Uncle Scam’, Perception Point recommends taking the following precautions:

  • Check the sender’s email address: Always check the sender’s email address for signs of impersonation.
  • Hover over the link before clicking: Before clicking on a link, hover over it to see the actual URL and check if it is legitimate.
  • Watch for errors: Look for minor grammatical errors, unusual wording, and inconsistencies in the content of the email.
  • Leverage advanced detection tools: Deploy AI-powered, layered security solutions to detect and neutralize advanced phishing attempts.
  • Educate your team: Provide regular training to your employees on how to recognize phishing emails and the importance of checking unsolicited communications.
  • Trust your instincts: If an email or offer seems too good to be true, it probably is. Always verify the authenticity of such communications via trusted channels.

Cybercriminals’ tactics are evolving, and the “Uncle Scam” phishing campaign is a reminder of this fact. Hackers have developed highly convincing and hard-to-detect phishing operations using trusted platforms like Microsoft Dynamics 365 and advanced AI tools. However, with vigilance and valid proactive steps, organizations and businesses can protect themselves from these threats.

This article first appeared in NY Breaking, written by James on August 17, 2024.