Office 365 customers have been warned by Microsoft of an ongoing phishing campaign that abuses open redirects, an email sales and marketing tool that redirects a visitor to an untrusted site.
An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance.
According to the Microsoft 365 Defender Threat Intelligence Team, attackers combine these links with social engineering baits that impersonate well-known productivity tools and services to lure users into clicking. Doing so leads to a series of redirections—
including a CAPTCHA verification page that adds a sense of legitimacy and attempts to evade some automated analysis systems—
before taking the user to a fake sign-in page. This ultimately leads to credential compromise, which opens the user and their organization to other attacks.
In this campaign, the team noticed that the emails seemed to follow a general pattern that displayed all the email content in a box with a large button that led to credential harvesting pages when clicked. The subject lines for the emails varied depending on the tool they impersonated. In general, Microsoft observed that the subject lines contained the recipient’s domain and a timestamp.