Operation Uncle Scam - AI-Powered Phishing Attack Steals Microsoft Dynamics 365 Credentials

Security researchers at Perception Point have uncovered a sophisticated phishing campaign, dubbed "Uncle Scam." In this AI-powered campaign, threat actors impersonate U.S. government agencies to send fraudulent tender invitations to numerous American enterprises.

The attackers employ advanced techniques, including interactive kits and large language models (LLMs), to create highly convincing phishing emails.

The phishing operation begins with an email purportedly from the General Services Administration (GSA), inviting recipients to bid on a federal project.

The email contains a link that redirects users to a spoofed GSA website, designed to closely mimic the legitimate site. This fake site includes navigation links and search options that lead to actual GSA pages, enhancing its credibility and making it challenging for users to identify the deception.

Upon clicking the "Register For RFQ" button, users encounter a CAPTCHA page, a tactic used by attackers to evade detection by automated security tools. Once users submit their details, the attackers successfully harvest their credentials.

The phishing site is nearly identical to the legitimate site, assuaging visitors of its supposed authenticity.

The attackers have also incorporated a detailed pop-up message that walks users through how to register for the RFQ, requiring multiple clicks to reach the fake login site.

According to the Perception Point report shared with Cyber Security News, "Upon clicking the link, the user is redirected to a spoofed GSA page, complete with a domain mimicking (gsa-gov-dol-procurement-notice(.)procure-rfq(.)online) the legitimate GSA domain (www.gsa.gov). The phishing site is nearly identical to the legitimate site, assuaging visitors of its supposed authenticity."

This behavior not only enhances the site's credibility but also makes it more difficult for users to realize they are on a malicious site.

Abuse of Microsoft’s Dynamics 365 Marketing Platform

A notable aspect of this campaign is the abuse of Microsoft's Dynamics 365 Marketing platform. Attackers leverage the domain dyn365mktg.com to create subdomains and send malicious emails.

This domain's association with Microsoft allows phishing emails to bypass spam filters and reach inboxes, increasing the campaign's effectiveness.

This domain is pre-authenticated by Microsoft, complying with DKIM and SPF standards, which ensures that emails from this domain are more likely to bypass spam filters and land directly in inboxes.

This pre-authentication and association with Microsoft contribute to high deliverability, making phishing emails sent from dyn365mktg(.)com less likely to be flagged as spam.

Additionally, the domain's built-in credibility, stemming from its link to a trusted marketing platform, makes emails from this domain appear more legitimate, increasing the effectiveness of phishing campaigns.

Perception Point researchers identified two variations of the phishing campaign, both crafted with the help of LLMs. These models enable attackers to generate sophisticated and contextually accurate emails at scale. The emails impersonate different U.S. government departments, maintaining a professional tone and incorporating department-specific details.

Protection Measures

To protect against such sophisticated phishing attacks, organizations are advised to:

• Double-check the Sender’s Email: Scrutinize the sender's email address for legitimacy.
• Hover Before You Click: Hover over links to verify the actual URL.
• Look for Errors: Be vigilant for grammatical mistakes or unusual phrasing.
• Leverage Advanced Detection Tools: Use AI-powered, multi-layered security solutions.
• Educate Your Team: Train employees to recognize phishing emails and verify unsolicited communications.
• Trust Your Instincts: Be cautious of offers that seem too good to be true and verify their authenticity through trusted channels.