A new, large-scale phishing campaign is actively exploiting the Microsoft Dynamics 365 Customer Voice enterprise feedback management application to deceive users and steal their login credentials, including bypassing multi-factor authentication (MFA). The attack poses a significant threat to the vast number of organizations globally that rely on Microsoft 365 and Dynamics 365 for business operations.
Security researchers at Check Point have identified this campaign, noting that it leverages compromised accounts to send emails containing fake Dynamics 365 Customer Voice links. The emails are crafted to appear legitimate, often centered around financial themes like settlement statements or payment information. The campaign has already deployed over 3,370 emails, reaching employees at more than 350 organizations, primarily in the United States, and targeting over a million mailboxes.
The attack chain involves luring recipients to click on phony links claiming they have received a new voicemail or PDF document. Users are first directed to a Captcha test, a tactic intended to lend an air of authenticity. Following this, victims are sent to a phishing site designed to mimic a Microsoft login page, where attackers attempt to steal credentials. Successful attacks grant cyber criminals unauthorized access to sensitive information and systems, potentially leading to manipulated internal accounts, theft of funds, and operational disruptions.
Exploiting Trusted Microsoft Services
The cleverness of this method lies in its exploitation of trust. It relies on the recipient’s familiarity with regular business communications involving Microsoft-branded services, making the fraudulent emails difficult to distinguish from legitimate correspondence. Attackers are leveraging legitimate links from Microsoft notifications as part of the attack chain.
This technique, which leverages legitimate sites to get past security scanners, is referred to as ‘The Static Expressway’ by the Check Point researchers. Such attacks are incredibly difficult for security services to detect and even harder for users to identify.
The phishing link often doesn’t appear until the final step. Check Point says “users are first directed to a legitimate page–so hovering over the URL in the email body won’t provide protection.” The phishing link often redirects users through several intermediate pages before they land on the final phishing page.
Attackers exploit platforms like Dynamics 365 Marketing Forms because they are hosted on a trusted Microsoft service, making them less likely to be flagged by traditional security filters. Dynamics 365 forms use legitimate SSL certificates, such as those from https://forms.office.com or https://yourcompanyname.dynamics.com, which can help evade phishing detection tools that check for invalid or suspicious certificates.
MFA Bypass Capabilities
A significant concern is the campaign’s ability to bypass multi-factor authentication. This is often achieved through the use of sophisticated phishing-as-a-service (PhaaS) toolkits.
A notable example is Rockstar 2FA, which is being used in campaigns targeting Microsoft 365 credentials, including Dynamics 365 Customer Voice, and is designed to bypass MFA.
Rockstar 2FA employs an Adversary-in-the-Middle (AiTM) attack to intercept user credentials and session cookies, meaning that even users with MFA enabled can still be vulnerable. Microsoft tracks the developers and distributors of the Dadsec/Phoenix phishing kit, related to Rockstar 2FA, under the moniker Storm-1575.
Rockstar 2FA is available via a subscription model, costing $200 for two weeks or $350 for a month, on platforms like ICQ, Telegram, and Mail.ru, allowing cyber criminals with little technical expertise to mount campaigns at scale.
The toolkit includes features such as 2FA bypass, cookie harvesting, antibot protection using Cloudflare Turnstile, customizable login page themes mimicking popular services, fully undetectable (FUD) links, and Telegram bot integration.
Email campaigns using Rockstar 2FA leverage diverse initial access vectors like URLs, QR codes, and document attachments. Lure templates used with Rockstar 2FA range from file-sharing notifications to requests for e-signatures. Attackers use legitimate link redirectors as a mechanism to bypass antispam detection.
Broader Context and Mitigation
Once inside a compromised account, cybercriminals act quickly. They may launch business email compromise (BEC) attacks, impersonating executives to request fraudulent wire transfers, or spread further phishing emails internally. Attackers also manipulate email settings to hide their activity, creating filtering rules to automatically delete security notifications. To avoid detection, they may use VPN services, making their logins appear to originate from the victim’s usual location.
Microsoft has taken action, blocking some of the phishing pages used in the campaign. However, some malicious emails may still have reached inboxes before these pages were taken down. Microsoft thwarted $4 billion in fraud attempts, rejected 49,000 fraudulent partnership enrollments, and blocked about 1.6 million bot signup attempts per hour between April 2024 and April 2025, according to the Microsoft Security Blog.
Microsoft also introduced a fraud prevention policy in January 2025 requiring product teams to perform fraud prevention assessments and implement fraud controls as part of their design process as noted in their blog post.
Beyond this specific campaign, the use of phishing to obtain credentials remains a prevalent threat vector. Earlier this year, a separate mass phishing attack was observed faking Microsoft ADFS login portals to hijack business email accounts, demonstrating that Microsoft authentication systems are ongoing targets.
That campaign also captured credentials and MFA codes in real-time, highlighting the vulnerability of federated authentication systems like ADFS. The shift toward phishing-based credential theft aligns with a broader trend in modern cyberattacks.
The broader cybersecurity landscape shows attackers increasingly relying on legitimate cloud infrastructure to host phishing pages as found in a Fortra report and leveraging artificial intelligence to enhance their attacks.
AI-driven phishing has led to a sharp rise in successful attacks by improving the quality and personalization of fraudulent emails according to a Netskope analysis. State-sponsored hacking groups are also using AI to refine cyber operations, including phishing and reconnaissance, although AI has not yet created fundamentally new attack methods.
Microsoft noted that “AI has started to lower the technical bar for fraud and cybercrime actors looking for their own productivity tools, making it easier and cheaper to generate believable content for cyberattacks at an increasingly rapid rate.” AI tools can scan and scrape the web for company information, helping cyberattackers build detailed profiles of employees or other targets to create highly convincing social engineering lures.
Another recent example of attackers exploiting legitimate systems for phishing involves spoofing Google email systems by reusing valid DKIM signatures. This technique manipulates Google’s OAuth framework to send emails that appeared authentically signed, bypassing DMARC checks. It underscores a broader trend where attackers abuse trusted platforms and protocols to lend legitimacy to their scams.
To strengthen defenses against identity-based phishing attacks, cybersecurity experts recommend a multi-layered approach. For organizations still using ADFS, transitioning to Microsoft Entra ID is advised, as it offers more phishing-resistant authentication methods.
Implementing advanced email security solutions, monitoring authentication activity for anomalies, and providing regular security awareness training are also crucial steps. Employees should be educated on identifying phishing attempts and verifying unusual login requests with their IT department. The move towards zero-trust security frameworks, requiring continuous verification, is also seen as a future standard.
