TL;DR A personalized voicemail-alert email targeted a CEO with a 'Listen to Voicemail' CTA pointing to public-usa[.]mkt[.]dynamics[.]com, a legitimate Microsoft Dynamics 365 Marketing host. The message was sent on behalf of a legitimate voicemail-notification sender by an external relay (atcl[.]net), breaking DMARC alignment. The body appended an unrelated forwarded legal-confidentiality thread as a credibility prop. Attachments (invite[.]ics, small PNG) scanned clean. The malicious risk was entirely in the abused Dynamics 365 CTA.
Severity: High Credential Harvesting Infrastructure Abuse Vip Targeting MITRE: T1566 MITRE: T1598 MITRE: T1656
# Voicemail Phish Abuses Microsoft Dynamics 365 Marketing Host to Deliver CEO-Targeted CTA
An attacker sent a personalized voicemail-alert email to a CEO with a single primary action: a "Listen to Voicemail" button that pointed to a URL on public-usa[.]mkt[.]dynamics[.]com, a legitimate Microsoft Dynamics 365 Marketing host. The phishing risk was embedded inside a Microsoft-owned domain, giving every URL-reputation scan a clean result. Authentication misalignment and a stitched-in legal boilerplate fragment were the artifacts that exposed the operation.
What the Attack Looked Like
The message presented as a standard voicemail notification: a caller name, a callback number, and a single CTA button labeled "Listen to Voicemail." The recipient was a CEO, specifically named in the message body. A caller name and local area-code phone number were included for verisimilitude.
The envelope sender was asif[@]atcl[.]net, sending "on behalf of" a legitimate voicemail-notification sender (anonymized). The From display showed a legitimate voicemail-notification sender, but the actual sending relay was atcl[.]net, an unrelated domain. The legitimate voicemail-notification sender domain has SPF, DKIM, and a DMARC policy of p=quarantine, but the external relay broke DMARC alignment because atcl[.]net is not authorized by the protected domain's SPF record.
The "Listen to Voicemail" CTA resolved to: hxxps://public-usa[.]mkt[.]dynamics[.]com/api/orgs//r/...
Microsoft Dynamics 365 Marketing is a legitimate marketing automation platform. The URL is a Microsoft-hosted redirect or form endpoint, not an obvious attacker-registered domain. URL reputation scanners returned a Mixed/Partial verdict, reflecting the tension between the trusted Microsoft host and the unknown behavior at the specific org endpoint.
Below the voicemail content, the message appended a forwarded thread containing legal confidentiality boilerplate, references to an unrelated law practice, and French-language corporate content from unrelated financial entities. This fragment was stitched in from a separate source, a common technique to add apparent legitimacy, pad message content to defeat simple template matchers, and mimic a complex multi-party communication chain.
A small calendar attachment (invite[.]ics, 592 bytes) and a PNG image (attachment-1[.]png, 7.8 KB) were included and scanned clean. The risk was in the CTA link, not the attachments.
Why It Bypassed Defenses
Dynamics 365 Marketing was the core evasion mechanism. The URL public-usa[.]mkt[.]dynamics[.]com is owned by Microsoft and used legitimately by thousands of organizations for marketing campaigns. No URL-reputation engine blocks it outright. Attackers who provision or abuse a Dynamics 365 Marketing org can host a phishing landing page, survey, or redirect flow behind a Microsoft-controlled URL. The victim clicks a Microsoft link and arrives at attacker content.
This is the same class of infrastructure abuse that makes Google Forms, DocuSign, and other legitimate SaaS platforms attractive for phishing. The host's reputation launders the malicious content.
The DMARC misalignment was a real signal, but it is easy to miss in high-volume environments. The p=quarantine policy on the sender domain means a correctly configured gateway should have treated the message with suspicion. But DMARC enforcement on inbound mail is often inconsistently applied, particularly when the displayed From address looks credible and the relay mismatch is subtle.
The CEO targeting added urgency and reduced the likelihood of careful scrutiny. A voicemail notification for an executive triggers a reflexive "I need to check this" response that benefits the attacker.
See Your Risk: Calculate how many threats your SEG is missing
How It Was Caught
The IRONSCALES platform identified the envelope/From mismatch as an authentication alignment failure and correlated it with the mixed-verdict Dynamics 365 CTA and the content anomaly of an appended, multilingual, unrelated legal thread. No single signal was definitive. The combination of DMARC misalignment, platform-abuse CTA, VIP targeting, and structural inconsistency in the message body produced the phishing classification.
The attached calendar file was assessed carefully. Malicious .ics files can include meeting entries that contain phishing links or auto-accept flows. This one was clean and small, but the pattern warrants scrutiny in any VIP-targeted campaign.
Defender Takeaway
Legitimate SaaS marketing platforms are now a standard attacker delivery vehicle. URL reputation tools that evaluate domain owner rather than hosted content are structurally blind to this technique. Deploy behavioral URL analysis and screenshot-based verdict systems that evaluate what is actually rendered at the endpoint, not just who owns the domain.
Enforce DMARC alignment on inbound mail. An on-behalf-of send where the relay domain does not align with the From domain should generate a quarantine or block signal when the From domain publishes p=quarantine. This message had that signal available. It was not acted on at the gateway.
Treat credential harvesting attempts targeting executives as a separate risk tier. CEO voicemail lures are high-return targets for attackers. VIP accounts warrant closer inspection of any first-time or authentication-misaligned sender.
Indicators of Compromise
| Type | Indicator | Notes |
|---|
| Phishing CTA | hxxps://public-usa[.]mkt[.]dynamics[.]com/api/orgs//r/... | Microsoft Dynamics 365 Marketing host; Mixed/Partial URL verdict |
| Envelope sender | asif[@]atcl[.]net | Relay sending on behalf of voicemail notification sender; DMARC misalignment |
| Authentication | DMARC misalignment (p=quarantine on From domain) | atcl[.]net relay breaks alignment with the legitimate sender domain-equivalent From domain |
| Attachment | invite[.]ics (592 bytes) | Calendar invite; scanned clean |
| Attachment | attachment-1[.]png (7.8 KB) | Image; scanned clean |
| Target profile | CEO / President | VIP spear-phishing targeting |
| MITRE | T1566 | Phishing |
| MITRE | T1598 | Phishing for Information |
| MITRE | T1656 | Impersonation |
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.
/case_study_thumb_telit.webp?width=1136&height=639&name=case_study_thumb_telit.webp)
/Leadership%20Headshots/Audian%20Paxson%20Headshot%201000x1000%20032026.webp?width=100&height=100&name=Audian%20Paxson%20Headshot%201000x1000%20032026.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg)
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp)
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg)
/Misc%20Icons/icon-nav-encryption.svg)
