{"id":42537,"date":"2021-08-26T17:00:10","date_gmt":"2021-08-26T17:00:10","guid":{"rendered":"https:\/\/www.microsoft.com\/security\/blog\/?p=96153"},"modified":"2021-08-26T17:00:10","modified_gmt":"2021-08-26T17:00:10","slug":"widespread-credential-phishing-campaign-abuses-open-redirector-links","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/widespread-credential-phishing-campaign-abuses-open-redirector-links\/","title":{"rendered":"Widespread credential phishing campaign abuses open redirector links"},"content":{"rendered":"

Microsoft has been actively tracking a widespread credential phishing campaign using open redirector links. Attackers combine these links with social engineering baits that impersonate well-known productivity tools and services to lure users into clicking. Doing so leads to a series of redirections\u2014including a CAPTCHA verification page that adds a sense of legitimacy and attempts to evade some automated analysis systems\u2014before taking the user to a fake sign-in page. This ultimately leads to credential compromise, which opens the user and their organization to other attacks.<\/p>\n

The use of open redirects in email communications is common among organizations for various reasons. For example, sales and marketing campaigns use this feature to lead customers to a desired landing web page and track click rates and other metrics. However, attackers could abuse open redirects to link to a URL in a trusted domain and embed the eventual final malicious URL as a parameter. Such abuse may prevent users and security solutions from quickly recognizing possible malicious intent.<\/p>\n

For instance, users trained to hover on links and inspect for malicious artifacts in emails may still see a domain they trust and thus click it. Likewise, traditional email gateway solutions may inadvertently allow emails from this campaign to pass through because their settings have been trained to recognize the primary URL without necessarily checking the malicious parameters hiding in plain sight.<\/p>\n

\"Diagram<\/p>\n

Figure 1. Attack chain for the open redirect phishing campaign<\/em><\/p>\n

This phishing campaign is also notable for its use of a wide variety of domains for its sender infrastructure\u2014another attempt to evade detection. These include free email domains from numerous country code top-level domains (ccTLDs), compromised legitimate domains, and attacker-owned domain generated algorithm (DGA) domains. As of this writing, we have observed at least 350 unique phishing domains used for this campaign. This not only shows the scale with which this attack is being conducted, but it also demonstrates how much the attackers are investing in it, indicating potentially significant payoffs.<\/p>\n

Today\u2019s email threats rely on three things to be effective: a convincing social engineering lure, a well-crafted detection evasion technique, and a durable infrastructure to carry out an attack. This phishing campaign exemplifies the perfect storm of these elements in its attempt to steal credentials and ultimately infiltrate a network. And given that 91% of all cyberattacks originate with email<\/a>, Organizations must therefore have a security solution that will provide them multilayered defense against these types of attacks.<\/p>\n

Microsoft Defender for Office 365<\/a> detects these emails and prevents them from being delivered to user inboxes using multiple layers of dynamic protection technologies, including a built-in sandbox that examines and detonates all the open redirector links in the messages, even in cases where the landing page requires CAPTCHA verification. This ensures that even the embedded malicious URLs are detected and blocked. Microsoft Defender for Office 365 is backed by Microsoft experts who enrich the threat intelligence that feeds into our solutions through expert monitoring of email campaigns.<\/p>\n

Attack analysis: Credential phishing via open redirector links<\/h2>\n

Credential phishing emails represent an extremely prevalent way for threat actors to gain a foothold in a network. The use of open redirects from legitimate domains is far from new, and actors continue to abuse its ability to overcome common precautions.<\/p>\n

Phishing continues to grow as a dominant attack vector with the goal of harvesting user credentials. From our 2020 Digital Defense Report<\/a>, we blocked over 13 billion malicious and suspicious mails in the previous year, with more than 1 billion of those emails classified as URL-based phishing threats.<\/p>\n

In this campaign, we noticed that the emails seemed to follow a general pattern that displayed all the email content in a box with a large button that led to credential harvesting pages when clicked. The subject lines for the emails varied depending on the tool they impersonated. In general, we saw that the subject lines contained the recipient\u2019s domain and a timestamp as shown in the examples below:<\/p>\n