It was reported by Microsoft of a global credential phishing campaign that leverages open redirector links in email communications as a vector to ploy users into browsing malicious websites while bypassing security software.
How it works
For the attacker to gain authenticity, the users are compromised by clicking the specially-crafted link redirects to a malicious landing page that employs Google reCAPTCHA to prevent any dynamic scanning attempts. After completion of the CAPTCHA verification, the compromised users are presented with a fraudulent login page that impersonates a known service like Microsoft office 365 which lures users to fall prey by swiping their passwords upon submitting the information.
A means of leading potential victims to phishing sites can be seen when redirecting URLs embedded in the message are set up using an authentic service, while the final actor-controlled domains contained in the link leverage top-level domains .xyz, .club, .shop and .online, these are passed as parameters to evade email gateway solutions.
This doesnt only show the magnitude of the attack being conducted, but it also exhibits how much the attacker is investing in such a vulnerability, which indicates potential signs of significant payoffs.
For further information on this vulnerability, kindly follow the URL:
While no current patch is available, users are advised to follow recommended best practices such as:
Have a security solution that will provide a multi-factor layered defence against such types of attacks.
Do not enter personal information in pop-ups.
Install a phishing filter on your web browser.
Do not click on links listed in email messages that look suspicious.
Train employees on how to identify and avoid falling prey to phishing
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
Microsoft warns of widespread phishing attacks on using open redirects (26th August 2021). Retrieved from Microsoft.
Microsoft warns of widespread phishing attacks on using open redirects (31st August 2021). Retrieved from ZDNet.