Microsoft researchers detected a new phishing campaign leveraging open redirector links (open redirects) in emails in an attempt to bypass security software and trick users into visiting malicious pages.
Open redictor links combined with social engineering
The attack is based on the combination of open redirector links and social engineering tricks impersonating popular productivity tools to lure users into clicking. Once a user clicks on the said link, a series of redirections happen, including a CAPTCHA verification page. This page’s purpose is adding “a sense of legitimacy” and evading automated analysis, and eventually leading the user to a fake sign-in page. The end goal is clear – credential compromise. Shortly said, harvested credentials can be weaponized in further attacks against the compromised organization.
Why are phishing operators using open redirects?
In fact, open redirects in email communications are quite common among organizations. Sales and marketing specialists use them to lead customers to specific landing pages and track click rates. Of course, attackers have found a way to exploit this feature by linking it to a URL in a trusted domain and embedding the final malicious URL as a parameter, Microsoft said. By doing this, phishing operators may prevent users and security solutions from quickly detecting possible malicious intent.
“For instance, users trained to hover on links and inspect for malicious artifacts in emails may still see a domain they trust and thus click it. Likewise, traditional email gateway solutions may inadvertently allow emails from this campaign to pass through because their settings have been trained to recognize the primary URL without necessarily checking the malicious parameters hiding in plain sight,” the report explained.
Another notable thing about this phishing campaign is the use of various domains for its sender infrastructure, also done for the purpose of evading detection.
“These include free email domains from numerous country code top-level domains (ccTLDs), compromised legitimate domains, and attacker-owned domain generated algorithm (DGA) domains,” the company reported. At least 350 unique phishing domains have been detected so far in this campaign alone. This important detail reveals the determination and effort attackers have put in the campaign, thus indicating “potentially significant payoffs.”
In February, researchers uncovered another novel technique used by phishing operators: a new obfuscation technique that uses Morse code to conceal malicious URLs within an email attachment. This was perhaps the first case of threat actors utilizing Morse code in such a way.