Microsoft warns of widespread phishing attacks using open redirects
Microsoft warns of massive credential phishing campaign that exploits open redirect links in email communications as a vehicle to trick users into visiting malicious websites while effectively bypassing security software.
“Attackers combine these links with social engineering bait that masquerades as well-known productivity tools and services to trick users into clicking,” Microsoft 365 Defender Threat Intelligence Team noted in a report released this week.
“This leads to a series of redirects – including a CAPTCHA verification page which adds a sense of legitimacy and tries to evade some automated analysis systems – before leading the user to a bogus login page. ultimately leads to a compromise of credentials, which opens the user and their organization to further attacks. “
While redirect links in email messages are an essential tool for directing recipients to third-party websites or tracking click-through rates and measuring the success of sales and marketing campaigns, the same technique can be misused by adversaries to redirect those links to their own infrastructure, while keeping the trusted domain in the full URL intact to escape scanning by anti-malware engines, even when users attempt to hover over the links for any sign of suspicious content.
The redirect URLs embedded in the message are configured using a legitimate service for the purpose of directing potential victims to phishing sites, while the actor-controlled end domains contained in the link exploit the domains. top-level .xyz, .club, .shop, and .online (for example “c-tl[.]xyz “), which are passed as parameters and thus stealthily pass beyond email gateway solutions.
Microsoft said it observed at least 350 unique phishing domains as part of the campaign – an attempt to obscure detection – highlighting the campaign’s effective use of compelling social engineering decoys that purport to be notification messages. ‘applications like Office 365 and Zoom, a well-designed evasion detection technique and a durable infrastructure to carry out attacks.
“This not only shows the scale with which this attack is being carried out, but it also shows how much attackers are investing in it, indicating potentially large gains,” the researcher said.
To give the attack a veneer of authenticity, clicking on specially crafted links redirects users to a malicious landing page that uses Google reCAPTCHA to block any dynamic analysis attempts. Upon completion of the CAPTCHA verification, victims are shown to a fraudulent login page mimicking a service known as Microsoft Office 365, only to slip in their passwords when submitting information.
“This phishing campaign illustrates the perfect storm of [social engineering, detection evasion, and a large attack infrastructure] in its attempt to steal credentials and ultimately infiltrate a network, ”the researchers noted. “And given that 91% of all cyber attacks come from emails, organizations must therefore have a security solution that will provide them with a multi-layered defense against these types of attacks. “