Phishing attacks use 365 domain to sending 'most sophisticated' messages to thousands.
Attackers are utilising the Microsoft Dynamics 365 Marketing Platform to send rogue phishing emails claiming to represent US Government departments.
According to research from Perception Point, attackers are abusing and leveraging the domain dyn365mktg.com to create subdomains and send out malicious emails.
“The domain dyn365mktg.com is associated with Microsoft’s Dynamics 365 Marketing platform, a trusted tool used by organisations to manage marketing campaigns, send emails, and engage with customers” the company explains.
Because it is linked to Microsoft, emails from this domain are inherently trusted and often bypass stringent security checks - and it often bypasses DMARC checks.
A Perception Point spokesperson confirmed to SC UK that attackers will open subdomains on this domain in legitimate ways and abuse it. Asked how they accessed Dynamics 365 Marketing Platform, researchers said this was likely done by compromising an account, or creating a legitimate account under false pretences, and used it to send phishing emails.
“By using the platform ‘as it was intended’, the attackers could exploit the trust associated with the domain, making their phishing emails more likely to bypass security filters and reach their targets,” researchers said.
Targeting Government
Further, the attackers impersonate an alleged representative of the General Services Administration (GSA), a United States government agency that provides procurement support to other government entities, and sent thousands of emails.
The message appears to be an official procurement notice, saying that the US Department of Energy is inviting recipients to submit a bid as a subcontractor for a federal project.
Clicking on the links takes the recipient to a spoof version of the GSA website.
“What makes this phishing attempt particularly noteworthy is the level of sophistication involved,” researchers say. “Interacting with the phishing website, such as clicking on different links or using the search options, leads to actual GSA websites. This behaviour not only enhances the site’s credibility but also makes it more difficult for users to realise they are on a malicious site.”
In an email to SC UK, the researchers said this was far more sophisticated than typical phishing campaigns, as the details matched each organisation's location, including a “perfect GSA spoofed website, leading to the actual website when navigating to add to the site’s credibility: all the legitimate website functionalities were perfectly copied.”
Written by
Dan Raywood
Senior Editor
SC Media UK
Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.
Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.