Microsoft is warning of a widespread credential phishing campaign that leverages open redirector links in email communications as a vector to trick users into visiting malicious websites while effectively bypassing security software. An open redirector link is when a web application or server uses a user-submitted link to redirect the user to a given website or page; often used as a vital tool to take recipients to third-party websites and measure the success of sales and marketing campaigns. By modifying the URL value to a malicious site, hackers are successfully launching a phishing scam to steal user credentials.
Microsoft said it observed at least 350 unique phishing domains as part of the campaign. In an attempt to obscure detection, hackers utilize well-crafted detection evasion techniques and a durable infrastructure to carry out the attacks. To give the attack a veneer of authenticity, messages are disguised as coming from apps like Office 365 and Zoom. By clicking the specially crafted links, users are redirected to a malicious landing page that employs Google reCAPTCHA to block any dynamic scanning attempts. Upon completion of the CAPTCHA verification, the victims are displayed a fraudulent login page mimicking a known service like Microsoft Office 365, only to swipe their passwords upon submitting the information.
According to Microsoft, the messages in this particular campaign tend to follow a common pattern. They use a few generic subject lines in this manner:
- [Recipient username] 1 New Notification
- Report Status for [Recipient Domain Name] at [Date and Time]
- Zoom Meeting for [Recipient Domain Name] at [Date and Time]
- Status for [Recipient Domain Name] at [Date and Time]
- Password Notification for [Recipient Domain Name] at [Date and Time]
- [Recipient username] eNotification.
Lloyd’s clients have an established set of security solutions that will provide them with a multi-layered defense against these types of attacks. The first line of defense is doing everything we can to block malicious emails from reaching you in the first place. A multi-layered defense system is key in our ability to quickly find and shut down email attacks.