Many phishing attacks rely heavily on service abuse as threat actors continue to leverage LotL Phishing attacks to their advantage in the hopes of not raising red flags for their targets but they do not always have such brand cohesion as the example we will look at below.

This email originated from a compromised nhsh.]net Microsoft account, the email system for National Health Service employees in England & Scotland. The theme was a Microsoft “secure fax pdf” originating from the “ShareFile Team 2023.”

The payload URL linked to customervoicet.]microsofto.]com, the legitimate Dynamics 365 service for gathering customer feedback via surveys. We have captured quite a few phishing attacks leveraging this service since last year and this one was a splendid example of a cohesive branding strategy (Microsoft- sender, graphics, link, and phishing portal) leveraged in an attack. While this tactic hopes to serve as a disguise to  the disposition of the URL but one can easily see how it would also be effective at duping even the security conscious end user paying close attention to the address bar.

If the target clicks the “Preview Document Here” option on the dynamics site, they are redirected to a subdomain at pinturt.]ru. This located hosted the attacker’s credential harvesting 365 themed OWA login page.