AI phishing campaigns are becoming more advanced, with fraudsters now targeting contractors seeking jobs with the US government. Perception Point researchers discovered a new operation called the “Uncle Scam” campaign.
Attackers use advanced tools such as AI-powered phishing kits and Microsoft Dynamics 365 to execute out complex, multi-step attacks. These deceptive approaches bypass security barriers and deliver convincing phishing emails generated by Large Language Models (LLMs).
A user receives an email purporting to be from the General Services Administration (GSA), a procurement-supporting U.S. government department. The email is forwarded to thousands of organisations and looks official. It claims that the U.S. Department of Energy is inviting recipients to bid as subcontractors for a federal project.
The user is prompted to click a link to submit their offer on time. This link takes users to a fake GSA website with a domain that closely resembles the real GSA domain. Users may mistake the phishing site for the legitimate one due to its striking resemblance.
A pop-up window directing users through the RFQ registration procedure appears when they visit the phishing URL. The message prompts them to click “Register For RFQ,” enter their email, and authenticate their identity.
It explains that upon successful authentication, the company will be added to the system and the given contact will get a confirmation email. By requiring many clicks to access the fake login page, this comprehensive pop-up provides a layer of legitimacy and helps in evading discovery.
Clicking on links or using search functions on the phishing website directs users to legitimate GSA websites. This gives the fake website more legitimacy, which makes it more difficult for people to identify it as risky.
The ‘Register For RFQ’ button redirects users to a website that requires them to complete a captcha. By blocking automated security tools from accessing the credential harvesting page, this step helps attackers in avoiding discovery. Once users submit their details, attackers successfully launch the attack.
Phishing exploits the reliability of Dynamics 365
The fact that Microsoft’s Dynamics 365 Marketing platform is being used makes this phishing effort quite effective. Attackers use the domain ‘dyn365mktg[dot]com,’ linked to Dynamics 365, to distribute their malicious emails.
Phishing emails have a higher chance of getting past spam filters and reaching gullible receivers since this domain is pre-authenticated by Microsoft and complies with DKIM and SPF standards.
The phishing attempt appears genuine due to the domain’s strong deliverability and built-in trustworthiness, increasing the likelihood of success. AI phishing emails gain credibility when sent from a reliable platform like Dynamics 365, making them harder to detect and more persuasive.
As a result, these phishing emails frequently have a professional tone, proper language, and particular data customised to the impersonated departments.
Attackers can effectively expand their efforts by using LLMs to create several, slightly different phishing email versions. The ability to scale ensures that every email is distinct and of consistently excellent quality, which makes it more difficult for victims to recognise the phishing attempt.
Protecting your company from advanced scams like the “Uncle Scam” doesn’t have to be challenging. Look out for emails that seem authentic but have red flags such as incorrect email addresses, suspicious links, or strange language.
Providing frequent training to your team and investing in AI-powered security technologies might be your most effective defence.
Phishing Tackle provides training course videos that cover different types of artificial intelligence threats designed to counter the ever-changing risks posed by artificial intelligence. We offer a free 14-day trial to help train your users to help train your users in avoiding these types of attacks and to test their knowledge with simulated phishing attacks.
