Microsoft is warning of a widespread credential phishing marketing campaign that leverages open redirector links in e mail communications as a vector to trick customers into visiting malicious web sites whereas successfully bypassing safety software program.
“Attackers mix these hyperlinks with social engineering baits that impersonate well-known productiveness instruments and providers to lure customers into clicking,” Microsoft 365 Defender Menace Intelligence Crew said in a report revealed this week.
“Doing so results in a collection of redirections — together with a CAPTCHA verification web page that provides a way of legitimacy and makes an attempt to evade some automated evaluation techniques — earlier than taking the consumer to a faux sign-in web page. This in the end results in credential compromise, which opens the consumer and their group to different assaults.”
Though redirect hyperlinks in e mail messages serve a significant device to take recipients to third-party web sites or observe click on charges and measure the success of gross sales and advertising and marketing campaigns, the identical approach will be abused by adversaries to redirect such hyperlinks to their very own infrastructure, on the similar time retaining the trusted area within the full URL intact to evade evaluation by anti-malware engines, even when customers try to hover on hyperlinks to verify for any indicators of suspicious content material.
The redirect URLs embedded within the message are arrange utilizing a official service in an try to guide potential victims to phishing websites, whereas the ultimate actor-controlled domains contained within the hyperlink leverage the top-level domains .xyz, .membership, .store, and .on-line (e.g. “c-tl[.]xyz”), that are handed as parameters and thus sneaking previous e mail gateway options.
Microsoft mentioned it noticed a minimum of 350 distinctive phishing domains as a part of the marketing campaign — an try to obscure detection — underscoring the marketing campaign’s efficient use of convincing social engineering lures that purport to be notification messages from apps like Workplace 365 and Zoom, well-crafted detection evasion approach, and a sturdy infrastructure to hold out the assaults.
“This not solely reveals the dimensions with which this assault is being performed, however it additionally demonstrates how a lot the attackers are investing in it, indicating probably important payoffs,” the researcher mentioned.
To provide the assault a veneer of authenticity, clicking the specially-crafted hyperlinks redirects the customers to a malicious touchdown web page that employs Google reCAPTCHA to dam any dynamic scanning makes an attempt. Upon completion of the CAPTCHA verification, the victims are displayed a fraudulent login web page mimicking a recognized service like Microsoft Workplace 365, solely to swipe their passwords upon submitting the knowledge.
“This phishing marketing campaign exemplifies the right storm of [social engineering, detection evasion, and a large attack infrastructure] in its try to steal credentials and in the end infiltrate a community,” the researchers famous. “And on condition that 91% of all cyberattacks originate with email, organizations should due to this fact have a safety answer that can present them multi-layered protection in opposition to some of these assaults.”