A largescale phishing campaign has been detected that targets Microsoft 365 credentials that takes advantage of vulnerabilities in websites that allow open redirects. Open redirects are a tried and tested phishing method and are used to redirect website visitors to an untrusted website, where malicious content is hosted. That could be malware that is downloaded onto a user’s device or, in this case, a phishing form that is used to steal Microsoft 365 credentials.
These attacks are made possible due to the misconfiguration of websites, which allows a web application to accept a user-controlled input, which specifies a link to an external site, and redirects visitors to that malicious URL. This technique is very effective. It can allow email security solutions to be bypassed. If an email security solution performs a reputation check of the URL, since the URL included in the phishing email directs a user to a reputable site, chances are the email will be delivered. This technique is also effective at tricking victims, since they will initially be directed to a trusted site.
In this campaign, at least two trusted domains are used – Snapchat and American Express – which both have open redirects that send victims to malicious websites. Like many Microsoft 365 phishing attacks, the emails impersonate a variety of brands, including Microsoft Office 365, FedEx, and DocuSign. The lures used in the campaign are relative to the brand being impersonated, such as alerts from Microsoft 365 that the user has unread messages that could not be delivered, or a collaboration request on a document hosted on DocuSign.
American Express has addressed the open redirect issue, Snapchat has yet to confirm that the issue has been resolve; however, other websites could similarly be attacked and have open redirects abused. The campaign has involved thousands of emails from hijacked Google Workspace and Microsoft 365 accounts.
Website owners can improve their defenses against attacks such as these by displaying a prompt when a visitor is about to be redirected to a third-party website, requiring a click to proceed. Businesses can improve their defenses against Microsoft 365 credential phishing campaigns such as this by implementing an advanced spam filtering solution that rewrites URLs and follows all redirects – SpamTitan Plus for example, using a web filter that blocks access to malicious web content, and providing security awareness training to their employees. The latter is especially important as these open redirect tactics can often see email security solutions bypassed.
Open redirects should be specifically covered in security awareness training, without getting too technical. Employees should be told that legitimate looking URLs in emails can redirect them to malicious sites, and to always check the actual domain they are being directed to, not just the link text. These redirects can be identified as the URL will contain terms such as “url=,” “redirect=,” “external-link,” or “proxy,” and often multiple occurrences of “HTTP”. They should also ensure they carefully check the URL they land on and make sure it is the official domain used by the company being spoofed.