Microsoft has been tracking a widespread credential phishing campaign using open redirector links combined with social engineering lures that spoof known productivity tools to trick users. Attackers also use a CAPTCHA verification page to add a sense of legitimacy to the campaign.
In this attack, the emails' subject lines depended on the tool they impersonated; however, in general they contained the recipient's domain and a timestamp. All the emails seemed to follow a pattern that showed the email content in a box with a large button leading to credential harvesting pages if clicked.
Recipients who hover their cursor over the link or button will see the full URL. But, because attackers used a legitimate service to set up open redirect links, the victims see a legitimate domain name they likely recognize. Officials say they observed a spam attack this month that used a Microsoft-spoofing lure and the same infrastructure and redirection chain.
Victims who click the redirect links are sent to a page in attacker-owned infrastructure. These pages use Google reCAPTCHA services. When this is complete, the victim is shown a website that impersonates a legitimate service and asks for the user's password. It's prepopulated with the target's email address, adding further legitimacy to the attack.
Once the password is entered, the page will refresh and show an error message, prompting the recipient to enter their password again – ensuring attackers receive the correct one. With this complete, the page redirects to a legitimate Sophos site saying the email has been released.
"The use of open redirects in email communications is common among organizations for various reasons," the Microsoft 365 Defender Threat Intelligence Team wrote in a blog post. Sales and marketing campaigns use this to bring customers to desired landing pages and track click rates and other metrics.
"However, attackers could abuse open redirects to link to a URL in a trusted domain and embed the eventual final malicious URL as a parameter," officials continue. "Such abuse may prevent users and security solutions from quickly recognizing possible malicious intent."
Employees trained to hover on links and check for suspicious content may see a trusted domain and click.
Read Microsoft's full blog post for more information.