Cybercriminals have been detected executing a new and vicious phishing scheme targeting contractors seeking employment with the US government.
Perception Point researchers revealed that the “Uncle Scam” campaign bypasses security controls to send sophisticated phishing emails designed by LLM to be extremely convincing.
Attackers use advanced tools, including AI-powered phishing kits and the Microsoft Dynamics 365 platform, to execute convincing multi-step attacks.
Microsoft Dynamics 365 and LLM Abuse
The campaign begins with a phishing email that appears to come from a legitimate U.S. government agency, such as the General Services Administration (GSA).
The email invites recipients to submit bids for federal projects, mimicking real procurement notices, but upon clicking on the link provided in the email, the user is redirected to a fake GSA website that closely resembles the legitimate one.
The attackers have gone to great lengths to replicate the official site, even including navigation links and a search bar that redirect users to real GSA pages. For reference, the legitimate GSA domain is www.gsa.gov, while the fraudulent domain may have this format “gsa-gov-dol-procurement-notice(.)procure-rfq(.)online”.
Once the phishing site is entered, users are asked to register for the RFQ (request for quotation) by providing their email and other details. This extra step is not just for show, but is designed to make the phishing attempt more convincing and to evade detection. The attackers further complicate matters by including a CAPTCHA page, making it difficult for automated security tools to access the credential harvesting page.
One of the key elements that makes this phishing campaign particularly effective is the abuse of Microsoft’s Dynamics 365 Marketing platform. The attackers use the “dyn365mktg.com” domain, associated with Dynamics 365, to send their malicious emails. Because this domain is pre-authenticated by Microsoft and complies with DKIM and SPF standards, the phishing emails are more likely to bypass spam filters and reach the inboxes of unsuspecting recipients.
This built-in credibility, coupled with the high deliverability of emails from this domain, makes the phishing attempt appear legitimate and increases its chances of success. Using a trusted marketing platform like Dynamics 365 adds a layer of authenticity to phishing emails, making them more convincing and harder to detect.
The “Uncle Scam” campaign also uses extensive language models (LLMs) to create phishing emails. These advanced models allow attackers to generate high-quality, contextually accurate phishing emails that mimic the tone and structure of legitimate communications. These emails are often grammatically correct and have a professional tone because they integrate details specific to the impersonated departments.
Using LLM allows attackers to efficiently scale their phishing efforts. They can produce multiple versions of the same phishing email with minor differences. This scalability ensures that each email is unique but of consistent quality, making it harder for victims to detect the scam.
To protect your organization from falling victim to sophisticated phishing attacks like “Uncle Scam,” Perception Point recommends taking the following precautions:
- Double-check the sender's email: Always carefully check the sender's email address for any signs of phishing.
- Hover before clicking: Before clicking on any link, hover over it to reveal the actual URL and make sure it is legitimate.
- Look for errors: Pay attention to minor grammatical errors, unusual phrasing, or inconsistencies in the email content.
- Leverage advanced detection tools: Deploy AI-powered, multi-layered security solutions to detect and neutralize sophisticated phishing attempts.
- Educate your team: Regularly train employees on how to identify phishing emails and the importance of checking for unsolicited communications.
- Trust your instinct: If an email or offer seems too good to be true, it probably is. Always verify the authenticity of such communications through trusted channels.
Cybercriminals’ tactics are evolving, and the “Uncle Scam” phishing campaign is a reminder of this fact. Hackers have developed highly convincing and difficult-to-detect phishing operations with the help of trusted platforms like Microsoft Dynamics 365 and advanced AI tools. However, with vigilance and valid proactive measures, organizations and businesses can protect themselves from these threats.
