Phishing attacks continue to evolve, leveraging legitimate platforms and services to deceive unsuspecting victims. One such tactic, highlighted by recent research from ANY.RUN, involves the abuse of Microsoft Dynamics 365.
Let’s unpack how cybercriminals exploit this trusted service, the methods they employ, and how tools like ANY.RUN can help detect and mitigate these threats.
How Microsoft Dynamics 365 is Being Abused
Microsoft Dynamics 365 includes a feature that allows users to create forms with embedded links. These forms are widely used in businesses for surveys, feedback, and customer engagement, making them a credible tool in the eyes of most users.
Unfortunately, cybercriminals exploit this credibility to create phishing links that appear legitimate but lead victims into well-crafted traps.
Because these phishing URLs are hosted on trusted domains (e.g., customervoice.microsoft.com), users are often less cautious when interacting with them. As a result, sensitive data like login credentials, payment information, or personal details are stolen without raising suspicion.
A Real Example of Phishing in Action
The research team at ANY.RUN recently analyzed a phishing campaign that exploited Microsoft services to deceive users. The phishing link, cleverly disguised as a legitimate Microsoft URL, lured victims into attempting to access a non-existent PDF file hosted on a trusted domain.
To safely investigate how the link operates, let’s use ANY.RUN’s interactive sandbox environment. This secure setup reveals the real behavior of the malicious link and the threats it poses: View analysis session.
After opening the link in the sandbox, you can see the first red flag. During the analysis session the sandbox displays the phishing tag indicating the start of the phishing attack.
Sign up for a 14-day free trial with ANY.RUN to analyze unlimited phishing and malware attacks in real time!
Without this kind of interactive analysis, detecting the malicious intent behind such a convincing link would have been challenging. The URL itself, hosted on the trusted domain customervoice.microsoft.com, appears legitimate enough to avoid suspicion.
In this analysis session, we can see that the link displays a message claiming that the user had received a PDF file, prompting them to click a button labeled “View Document Here” to access it.
Once clicked, the button redirects users to a phishing site masquerading as a Microsoft login page. This fake site requests Microsoft account credentials, attempting to harvest sensitive information.
The ANY.RUN sandbox also flagged the phishing attempt using Suricata rules, providing an additional layer of confirmation about the link’s malicious nature.
Discover More Malicious Links with TI Lookup
Using ANY.RUN’s Threat Intelligence (TI) Lookup, you can identify multiple phishing campaigns that use the same domain, customervoice.microsoft.com, to trick unsuspecting users.
Try out this query to find more examples and IOCs related to this technique: 🔍 TI Lookup Query
Analyze and Investigate Threats with ANY.RUN
Phishing attacks may be sophisticated, but they’re not invincible. ANY.RUN provides tools to analyze malware and phishing threats in real-time, allowing businesses to identify and combat cybercriminals more effectively.
With features like private analysis modes, detailed threat intelligence reports, and the ability to investigate malicious URLs, ANY.RUN empowers you to stay one step ahead.
Sign up for a 14-day free trial with ANY.RUN and experience the power of real-time threat analysis today!