Microsoft has issued a security alert on a broad credential phishing attempt that uses open redirector URLs in email messages to lure users into visiting malicious websites while circumventing security measures.
“Doing so leads to a series of redirections — including a CAPTCHA verification page that adds a sense of legitimacy and attempts to evade some automated analysis systems — before taking the user to a fake sign-in page. This ultimately leads to credential compromise, which opens the user and their organization to other attacks.”.
“Attackers combine these links with social engineering baits that impersonate well-known productivity tools and services to lure users into clicking” : Microsoft 365 Defender Threat Intelligence Team.
Although redirect links in email messages are an important tool for sending recipients to third-party websites, tracking click rates, and determining the success of sales and marketing campaigns, adversaries can use the same technique to redirect such links to their own infrastructure while keeping the trusted domain in the full URL intact to avoid detection by anti-malware engines even while users are still pondering over or examining potential hints of a content that makes it suspicious.
The redirect URLs encoded in the message are set up using a legitimate service, while the final actor-controlled domains contained in the link use top-level domains.xyz,.club,.shop, and.online (e.g. “c-tl[.]xyz”), but are supplied as parameters to get past email gateway solutions.
Microsoft said it discovered at least 350 different phishing domains as part of the campaign, highlighting the campaign’s effective use of convincing social engineering lures that appear to be notifications from Office 365 and Zoom, a well-crafted detection evasion technique, and a long-lasting infrastructure to carry out the attacks. This is an indicator of the investments that goes into conducting such attacks.
Clicking the specially-crafted URLs takes users to a malicious landing page that uses Google reCAPTCHA to deny any dynamic scanning attempts, giving the attack a genuine appearance. After completing the CAPTCHA verification, the victims are directed to a fake login page that looks like Microsoft Office 365, only to have their passwords swiped when they submit the form.
Since a vast majority of such attacks are lead by emails, there’s a need for a stronger security system to tackle the same.