Blox Tales: Microsoft Defender Vishing Using AnyDesk

In today’s Blox Tale, we will look at a vishing (voice phishing) attack that impersonated Microsoft and attempted to steal victims’ credit card details. The email sent fake order receipts for a Microsoft Defender subscription and included phone numbers to call for processing order returns. Calling the listed number led to a vishing flow where the attacker tells the victim to install AnyDesk for an attempted Remote Desktop Protocol (RDP) attack.

Before we go through the attacks in greater detail, a brief description of vishing for the uninitiated: vishing (or voice phishing) is a type of scam where malicious actors steal personal information from victims over the phone or by leaving fraudulent voice messages. Armorblox has recently covered Amazon and tech support vishing attacks.

Now let’s focus on the attack at hand:

Summary

Target: A cloud collaboration software company

Email security bypassed: Google Workspace email security

Techniques used: Social engineering, brand impersonation, replicating existing workflows, vishing (no URLs in email), using a Gmail address, omni-channel attack flow

Fig: Microsoft Defender vishing that uses AnyDesk in its attack flow

The Email

The email was sent from a Gmail account, had “Microsoft Online Store” as the sender name, and was titled “Order Confirmation No” followed by a long and genuine looking invoice number. The email contained HTML stylings similar to genuine emails sent from Microsoft, and included information on a subscription for Microsoft Defender Advanced Protection supposedly purchased by the victim.

A snapshot of the email is given below:

Fig:  Email impersonating Microsoft and including a phone number to call

The email body invites victims to “contact customer care representatives” for more information about the order. The footer includes a toll-free number to call: the only call to action in the email.

We also observed a variant of this vishing email that made minor changes to the email title, body, invoice amount, and toll-free number, but was still essentially the same vishing email.

Fig:  A variant of the Microsoft vishing email with minor changes to the email body

Vishing Flow

The Armorblox threat research team called both toll-free numbers from a disposable Google Voice number. While one of the numbers led to an endless ringtone, the other number had a real human on the end of the line who identified themselves as Sam.

Sam asked us for the invoice number tied to the email, which we provided. Sam then told us the only way to get our money back was by filling out an “information form”. To help fill out this form, Sam spelled out the website address for AnyDesk, a remote desktop software, and suggested that we download the free version of the software. They claimed installing AnyDesk would enable us to more securely access their server and fill out the form.

We asked a few clarifying questions at this point that made Sam suspicious, thus ending the call (maybe our French accent wasn’t up to par).

We learned enough from this vishing flow to posit that attackers are trying to get victims to install AnyDesk and then initiate an RDP attack. The end goal could have been installing malware/ransomware on the victims’ system, stealing their login data, extracting sensitive/confidential company information, and so on. Once the attacker has control of a victim’s system, all bets are off.

Recap of Techniques Used

This email attack employed a gamut of techniques to get past native email security controls and pass the eye tests of unsuspecting end users.

• Social engineering: The email title, sender name, and content aimed to induce a sense of trust and urgency in the victims - a sense of trust because the email claimed to come from Microsoft, and a sense of urgency because it contained information on online product subscriptions that the victims hadn’t made, and thus would be eager to reverse.
• Brand impersonation: The vishing email is replete with passable Microsoft branding branding and follows a structure similar to real subscription confirmation emails from Microsoft.
• No URLs or conventional payloads: The email didn’t include any links or other conventional calls to action, which enabled it to bypass any detection controls that block known bad links. Including phone numbers as the payload makes the victim an active participant and continues the attack flow beyond the visibility of any email security solution.
• Replicating existing workflows: The context for the email attack replicates workflows that already exist in our daily lives (ordering subscriptions online). When we see emails we’ve already seen before, our brains tend to employ System 1 thinking and take quick action.
• Using Gmail address: The vishing email was sent from a Gmail address, allowing it to successfully pass email authentication checks. Attackers regularly bypass email authentication controls by sending malicious emails from Gmail, Yahoo, and Hotmail accounts.
• Attempted RDP attack: The attacker tries to lead victims through a prepared vishing flow and get them to install AnyDesk for an RDP attack.

Guidance and Recommendations

1. Augment native email security with additional controls

The email highlighted in this blog got past Google Workspace email security. For better protection coverage against email attacks (whether they’re spear phishing, business email compromise, or vishing attacks like this one), organizations should augment built-in email security with layers that take a materially different approach to threat detection.

Gartner’s Market Guide for Email Security covers new approaches that vendors brought to market in 2020, and should be a good starting point for your evaluation.

2. Watch out for social engineering cues

Since we get so many emails from service providers, our brains have been trained to quickly execute on their requested actions. It’s much easier said than done, but engage with these emails in a rational and methodical manner whenever possible.

Subject the email to an eye test that includes inspecting the sender name, sender email address, language within the email, and any logical inconsistencies within the email (e.g. Why is the Microsoft email sent from a Gmail account? Why are there no links in the email including the footer?).

3. Be wary of sharing any sensitive information over the phone

Be very suspicious of any caller who asks for sensitive information or asks you to download something over the phone. If you suspect the call you’re on is a potential vishing conversation, immediately hang up and don’t feel obliged to carry on speaking or replying to questions out of politeness.

If the caller provides a call-back number, avoid calling that number and instead search for a publicly available number of the company (in this case, Microsoft) and call that number.

4. Follow MFA and password management best practices

Since all workplace accounts are so closely interlinked, sharing credentials to one of your accounts can prove to be very dangerous as cybercriminals send emails in your name to trick your customers, partners, acquaintances, and family members.

If you haven’t already, implement these hygiene best practices:

• Deploy multi-factor authentication (MFA) on all possible business and personal accounts.
• Don’t use the same password on multiple sites/accounts.
• Use a password management software to store your account passwords.
• Avoid using passwords that tie into your publicly available information (date of birth, anniversary date, etc.).
• Don’t repeat passwords across accounts or use generic passwords such as ‘password123’, ‘YourName123’, etc.

To see Armorblox work in your email environment, get started with a free 2-week risk assessment below.