Microsoft is warning of a widespread credential phishing marketing campaign that leverages open redirector links in e mail communications as a vector to trick customers into visiting malicious web sites whereas successfully bypassing safety software program.
“Attackers mix these hyperlinks with social engineering baits that impersonate well-known productiveness instruments and companies to lure customers into clicking,” Microsoft 365 Defender Menace Intelligence Crew said in a report printed this week.
“Doing so results in a collection of redirections — together with a CAPTCHA verification web page that provides a way of legitimacy and makes an attempt to evade some automated evaluation methods — earlier than taking the person to a faux sign-in web page. This in the end results in credential compromise, which opens the person and their group to different assaults.”
Though redirect hyperlinks in e mail messages serve a significant device to take recipients to third-party web sites or observe click on charges and measure the success of gross sales and advertising and marketing campaigns, the identical method may be abused by adversaries to redirect such hyperlinks to their very own infrastructure, on the identical time maintaining the trusted area within the full URL intact to evade evaluation by anti-malware engines, even when customers try and hover on hyperlinks to test for any indicators of suspicious content material.
The redirect URLs embedded within the message are arrange utilizing a authentic service in an try to steer potential victims to phishing websites, whereas the ultimate actor-controlled domains contained within the hyperlink leverage the top-level domains .xyz, .membership, .store, and .on-line (e.g. “c-tl[.]xyz”), that are handed as parameters and thus sneaking previous e mail gateway options.
Microsoft stated it noticed at the least 350 distinctive phishing domains as a part of the marketing campaign — an try and obscure detection — underscoring the marketing campaign’s efficient use of convincing social engineering lures that purport to be notification messages from apps like Workplace 365 and Zoom, well-crafted detection evasion method, and a sturdy infrastructure to hold out the assaults.
“This not solely reveals the dimensions with which this assault is being performed, however it additionally demonstrates how a lot the attackers are investing in it, indicating doubtlessly vital payoffs,” the researcher stated.
To provide the assault a veneer of authenticity, clicking the specially-crafted hyperlinks redirects the customers to a malicious touchdown web page that employs Google reCAPTCHA to dam any dynamic scanning makes an attempt. Upon completion of the CAPTCHA verification, the victims are displayed a fraudulent login web page mimicking a identified service like Microsoft Workplace 365, solely to swipe their passwords upon submitting the data.
“This phishing marketing campaign exemplifies the right storm of [social engineering, detection evasion, and a large attack infrastructure] in its try and steal credentials and in the end infiltrate a community,” the researchers famous. “And provided that 91% of all cyberattacks originate with email, organizations should due to this fact have a safety answer that may present them multi-layered protection in opposition to a lot of these assaults.”