Security researchers at Perception Point have discovered a sophisticated phishing campaign called "Uncle Scam." In this AI-powered campaign, malicious actors impersonate U.S. government agencies to send fraudulent procurement invitations to numerous U.S. companies. In this blog, colleague Ferry shares how the operation worked and how to prevent it for your organization.  

In doing so, the attackers use sophisticated techniques, including interactive kits and large language models (LLMs), to create highly convincing phishing emails. 

The phishing website used for this purpose is almost identical to the legitimate site, reassuring visitors about its supposed authenticity. 

The attackers had also added a detailed pop-up message that guides users step by step in registering for the RFQ, requiring multiple clicks to reach the fake login page. 

According to Perception Point's report, "After clicking the link, the user is redirected to a fake GSA page, complete with a domain that resembles (gsa-gov-dol-procurement-notice(.)procure-rfq(.)online) the legitimate GSA domain (www.gsa.gov). The phishing website is almost identical to the legitimate site, reassuring visitors of its supposed authenticity." 

This behavior not only increases the credibility of the site, but also makes it harder for users to realize they are on a malicious site. 

Misuse of Microsoft's Dynamics 365 Marketing Platform

One notable aspect of this campaign is the misuse of Microsoft's Dynamics 365 Marketing platform. Attackers are using the domain dyn365mktg.com to create sub-domains and send malicious emails. 

The association of this domain with Microsoft enables phishing emails to bypass spam filters and land directly in inboxes. This significantly increases campaign effectiveness. 

The domain is pre-authenticated by Microsoft and meets DKIM and SPF standards, making emails from this domain more likely to pass spam filters and land directly in the inbox. This prior authentication and the link to Microsoft contribute to high deliverability, making phishing emails sent from dyn365mktg(.)com less likely to be flagged as spam. 

Additionally, the built-in credibility of the domain, thanks to its link to the trusted marketing platform, increases the legitimacy of the emails. This makes phishing campaigns sent through this domain even more effective. 

Perception Point researchers have identified two phishing campaign variants, both designed using large language models (LLMs). These models allow attackers to generate sophisticated and contextually accurate emails on a large scale. The emails mimic different departments of the U.S. government, with a professional tone and department-specific details. 

Protective measures

Despite this AI-driven attack having taken place in the U.S. for now, such a scenario could hang over European companies like the sword of Damocles.  

Protection against phishing attacks is crucial, not only for organizations worldwide, but also specifically for users in Europe. And here's why: 

• Increased cyber threats: Phishing attacks are increasingly targeting European users due to increasing digitalization and the diversity of languages and systems. Cybercriminals are using sophisticated techniques to adapt their attacks to different regions, including Europe. 
• Strict regulations: Europe has strict regulations such as the General Data Protection Regulation (AVG) that require organizations to protect personal data and report data breaches. Phishing attacks can lead to serious data breaches and fines for non-compliance with these regulations. 
• Sensitive data: European users often handle sensitive information, such as financial data, personal identification and business information. Phishing attacks can compromise this data, which can have serious consequences for both individuals and businesses.
•  Economic Impact: Phishing attacks can cause significant financial damage. For European companies, this can lead to loss of trust, reputational damage and high costs for recovery and compensation. 
• International Cooperation: Phishing attacks can have international implications, with attackers potentially targeting European users from other countries. Promoting awareness and implementing protection measures in Europe helps strengthen the global fight against cybercrime. 
• Protection of Personal Freedoms: European countries are committed to protecting personal freedom and privacy. By taking measures against phishing, users can keep personal data safe and ensure privacy. 

By implementing these protection measures, European users can not only secure their own data and systems, but also contribute to a broader security culture that helps make the digital space safer for everyone. 

To protect yourself from such sophisticated phishing attacks, we recommend organizations: 

• Double-check the sender: Carefully check the sender's email address for legitimacy
• Keep Mouse Button Silent Before Clicking: Move the cursor over links to verify the actual URL before clicking on it
• Watch for errors: be alert to grammatical errors or unusual turns of phrase in the email
• Use advanced detection tools: Use AI-driven, layered security solutions to detect suspicious emails
• Training for your team: Train employees to recognize phishing emails and verify unsolicited communications 
• Trust your instincts: Be wary of offers that seem too good to be true and verify their authenticity through trusted channels

By following these measures, you reduce your organization's chances of falling victim to phishing attacks and improve overall security.