Microsoft has warned Office 365 customers that they are being targeted by a widespread phishing campaign aimed at removing usernames and passwords.
The ongoing phishing campaign uses several links; Clicking on them results in a series of redirects that lead victims to a Google reCAPTCHA page that leads to a fake login page where Office 365 credentials are stolen.
This attack relies on the e-mail sales and marketing tool called “open redirects”, which has been misused in the past to redirect a visitor to a trusted destination to a malicious website. Google does not consider open redirects for Google URLs to be a security issue, but it does display a “redirect alert” in the browser.
SEE: Ransomware: This new free tool lets you test if your cyber security is strong enough to stop an attack
Microsoft warns that this feature is being used by phishing attackers.
“However, attackers may abuse open redirects to link to a trusted domain URL and add the final malicious URL as a parameter. Such abuse may prevent users and security solutions from quickly recognizing possible malicious intent,” says Microsoft 365 Defender Threat Intelligence. Team warns.
The trick of this attack depends on the advice of users to hold the mouse pointer over a link in an email to check the destination before clicking.
“When recipients hover over the link or button in the e-mail, they are shown the entire URL. Since players set up open redirects using a legitimate service, users see a legitimate domain name that is likely associated with a company. They know and “We believe that attackers are exploiting this open and reputable platform to try to avoid detection while redirecting potential victims to phishing sites,” warns Microsoft.
“Users who are trained to hold the mouse pointer on links and investigate whether malicious artifacts ie -mail can still see a domain they trust and thus click on it,” it said.
Microsoft has identified over 350 unique phishing domains used in this campaign, including free email domains, compromised domains, and domains automatically created by the attacker’s domain generation algorithm. The email subject headings were tailored to the tool the attacker was imitating, such as a calendar alert for a Zoom meeting, a spam alert in Office 365, or a message about the frequently used but poorly recommended password expiration policy.
Although open redirects are not new, Microsoft jumped on the bandwagon after noticing a phishing campaign in August that relied on fake Microsoft URLs.
The Google reCaptcha verification increases the site’s apparent legitimacy since it is commonly used by sites to verify that the user is not a bot. In this case, however, the user has been redirected to a page that looks like a Microsoft login page and eventually leads to a legitimate page from Sophos, which offers a service to detect this type of phishing attack.
SEE: The Privacy Paradox: How can companies use personal information while protecting users’ privacy?
“If the user enters the password, the page refreshes and displays an error message stating that the page is out of time or that the password is incorrect and that they need to enter the password again. This is probably done to get the user to enter the password twice, allows the attackers ensure that they get the correct password.
“When the user enters their password again, the page leads to a legitimate Sophos website claiming that the email has been released. This adds another layer of false legitimacy to the phishing campaign.”
Google’s words about open redirects are that this is not a security issue, although it does admit that it can be used to trigger other vulnerabilities. However, Google disputes the idea that hovering over a link in an app to see a destination URL is a useful tip about phishing awareness.
“Open redirects take you from a Google URL to another site chosen by the person who designed the link. Some members of the security community claim that the redirects help phishing because users may be inclined to trust the mouse pointer tooltip on a link and then fail to examine the address bar when navigating.
“Our view of this is that tooltips are not a reliable security indicator, and can be tampered with in many ways; so we invest in technologies to detect and alert users of phishing and abuse, but we generally believe that a small number of monitored redirects clear benefits and poses very little practical risk. ”