The Microsoft 365 Defender Threat Intelligence Team has actively tracked a widespread credential phishing campaign using open redirector links. Attackers combine these links with social engineering baits that impersonate well-known productivity tools and services to lure users into clicking.

Doing so leads to a series of redirections—including a CAPTCHA verification page that adds a sense of legitimacy and attempts to evade some automated analysis systems—before taking the user to a fake sign-in page, says the Threat Intelligence Team. This ultimately leads to credential compromise, which opens the user and their organization to other attacks.

According to Microsoft, open redirects in email communications are common among organizations for various reasons. For example, sales and marketing campaigns use this feature to lead customers to the desired landing page and track click rates and other metrics. However, attackers could abuse open redirects to link to a URL in a trusted domain and embed the eventual final malicious URL as a parameter. Such abuse may prevent users and security solutions from quickly recognizing possible malicious intent.

This phishing campaign is also notable for its use of various domains for its sender infrastructure—another attempt to evade detection. These include free email domains from numerous country code top-level domains (ccTLDs), compromised legitimate domains, and attacker-owned domain generated algorithm (DGA) domains. As of this writing, the Threat Intelligence Team has observed at least 350 unique phishing domains used for this campaign. This not only shows the scale with which this attack is being conducted, but it also demonstrates how much the attackers are investing in it, indicating potentially significant payoffs.

With cybercriminals now heavily targeting cloud platforms and subsequently taking over employee accounts, every organization should be prioritizing cloud security and cloud data protection, says Pravin Kothari, Senior Vice President of SASE Products at Lookout, a San Francisco, Calif.-based endpoint-to-cloud security company.


Kothari adds, "While many organizations have implemented strong password controls or Single Sign-on, they have not added adaptive or contextual access control to their access management. Organizations need to implement a security strategy that protects users, devices, and data from the individual endpoint up to the cloud. These phishing attacks are particularly effective on mobile devices. This is because smartphones and tablets have simplified interfaces that hide many red flags indicative of phishing attacks. They can also deliver phishing links through email, SMS, social media platforms, third-party messaging apps, gaming and more."


In addition, Kothari says that organizations need to implement a cloud access security broker (CASB) solution to detect anomalous logins and activity indicative of a compromised account through user and entity behavior analytics (UEBA). "A CASB built for today's threat landscape enables automated zero-trust, adaptive access control, and rights management capabilities. For example, if a user logs out in New York then suddenly logs in from Moscow only a few minutes later, or starts accessing and exfiltrating highly sensitive files, then the organization can create policies to revoke that employee's access. This can prevent attackers from exfiltrating data or encrypting and locking files as part of an advanced cyberattack such as ransomware."

Joseph Carson, Chief Security Scientist and Advisory CISO at ThycoticCentrify, a Washington D.C.-based provider of cloud identity security solutions, suggests good password hygiene must be part of employee and cyber awareness training. "The average employee isn't properly trained in cyber hygiene and best practices, making them easy targets for cybercriminals looking to access an organization's networks quickly and easily via a phishing attack or clever social engineering. Ensuring that employees at all levels of the organization are given adequate training about how to identify malware-laced emails and other basic attempts at credential theft can be a major step to help reduce the success rate of an attack or at least raise an alert. By normalizing training within the workplace culture, organizations can help maintain vigilance for these practices long term."