Microsoft warns of widespread open redirection phishing attack – which Defender can block, coincidentally

Some tactics never change much


Microsoft has warned that it has been tracking a widespread credential-phishing campaign that relies on open redirector links, while simultaneously suggesting it can defend against such schemes.

"Attackers combine these links with social engineering baits that impersonate well-known productivity tools and services to lure users into clicking," the company's Microsoft 365 Defender Threat Intelligence Team said in a blog post on Thursday.

"Doing so leads to a series of redirections – including a CAPTCHA verification page that adds a sense of legitimacy and attempts to evade some automated analysis systems – before taking the user to a fake sign-in page."

An open redirect is when a web application allows an HTTP parameter to contain a user-supplied URL that causes the HTTP request to be redirected to the referenced resource.

Microsoft says that open redirects have legitimate uses, pointing to the way sales and marketing campaigns rely on them to lead customers to specific landing pages and to gather web metrics. But open redirects are also commonly abused.

The messages in this particular campaign, according to the company, tend to follow a common pattern. They use a few generic subject lines formatted thus:

  • [Recipient username] 1 New Notification
  • Report Status for [Recipient Domain Name] at [Date and Time]
  • Zoom Meeting for [Recipient Domain Name] at [Date and Time]
  • Status for [Recipient Domain Name] at [Date and Time]
  • Password Notification for [Recipient Domain Name] at [Date and Time]
  • [Recipient username] eNotification

Once opened, the messages present a button to show the purported notification message. The button is linked to a trusted domain appended with redirection parameters in a way that's intended to look convincing to a casual level of scrutiny, such as a brief glimpse of the full URL when a mouse pointer is hovering over the button.

Example of phishing URL, from Microsoft

Click to enlarge

Anyone who understands how URLs and appended parameters work probably wouldn't be duped, but less savvy users might well see the initial trusted URL and assume all's well, unconcerned about all the parameter data added to the request.

To further convey the illusion of safety and legitimacy, the redirection takes the victim to a Google reCAPTCHA page, which Microsoft theorizes also serves to frustrate dynamic scanning and content checking of the phishing page at the end of the redirection.

Those who successfully complete the CAPTCHA puzzle and demonstrate to the phishers that they're legitimate marks get shown a website that pretends to be a known, legitimate service, like Microsoft Office 365. And the scam site loads with the target's email address – passed to the phishing page as a parameter in the phishing URL – and often with corporate logos or other branding to make the login page look more like it's implementing common single sign-on behavior.

If the victim enters a password, that's not the end of it. The page then refreshes with an error message declaring that the session timed out and directing the visitor to enter the password again, a data validation practice not unlike the double opt-in ritual used by email marketing list services to ensure compliance with spam laws.

For being so kind as to confirm their passwords, phishing victims get redirected to a legitimate Sophos security website indicating, falsely, that the email message that they were notified to retrieve has been released.

Microsoft says it has detected at least 350 unique phishing domains involved in this campaign. The scheme appears to have the potential to go far beyond that – the redirection URLs come from a domain-generation algorithm that creates phishing domains on the fly, as needed.

Sophisticated as this scheme may sound, Microsoft insists its Defender for Office 365 software offers adequate protection because it includes a built-in sandbox that examines all redirection links. Defender allegedly does so "even in cases where the landing page requires CAPTCHA verification," which doesn't exactly inspire a lot of confidence in CAPTCHAs as a means for distinguishing between human and automated interaction.

That being the case, why is Microsoft bothering to sound the alarm? Well, 91 per cent of all cyberattacks originate with email, according to Redmond. Clearly, phishing still works, as does selling security by pointing that out. ®

Broader topics


Other stories you might like

  • North Korea pulled in $400m in cryptocurrency heists last year – report

    Plus: FIFA 22 players lose their identity and Texas gets phony QR codes

    In brief Thieves operating for the North Korean government made off with almost $400m in digicash last year in a concerted attack to steal and launder as much currency as they could.

    A report from blockchain biz Chainalysis found that attackers were going after investment houses and currency exchanges in a bid to purloin funds and send them back to the Glorious Leader's coffers. They then use mixing software to make masses of micropayments to new wallets, before consolidating them all again into a new account and moving the funds.

    Bitcoin used to be a top target but Ether is now the most stolen currency, say the researchers, accounting for 58 per cent of the funds filched. Bitcoin accounted for just 20 per cent, a fall of more than 50 per cent since 2019 - although part of the reason might be that they are now so valuable people are taking more care with them.

    Continue reading
  • Tesla Full Self-Driving videos prompt California's DMV to rethink policy on accidents

    Plus: AI systems can identify different chess players by their moves and more

    In brief California’s Department of Motor Vehicles said it’s “revisiting” its opinion of whether Tesla’s so-called Full Self-Driving feature needs more oversight after a series of videos demonstrate how the technology can be dangerous.

    “Recent software updates, videos showing dangerous use of that technology, open investigations by the National Highway Traffic Safety Administration, and the opinions of other experts in this space,” have made the DMV think twice about Tesla, according to a letter sent to California’s Senator Lena Gonzalez (D-Long Beach), chair of the Senate’s transportation committee, and first reported by the LA Times.

    Tesla isn’t required to report the number of crashes to California’s DMV unlike other self-driving car companies like Waymo or Cruise because it operates at lower levels of autonomy and requires human supervision. But that may change after videos like drivers having to take over to avoid accidentally swerving into pedestrians crossing the road or failing to detect a truck in the middle of the road continue circulating.

    Continue reading
  • Alien life on Super-Earth can survive longer than us due to long-lasting protection from cosmic rays

    Laser experiments show their magnetic fields shielding their surfaces from radiation last longer

    Life on Super-Earths may have more time to develop and evolve, thanks to their long-lasting magnetic fields protecting them against harmful cosmic rays, according to new research published in Science.

    Space is a hazardous environment. Streams of charged particles traveling at very close to the speed of light, ejected from stars and distant galaxies, bombard planets. The intense radiation can strip atmospheres and cause oceans on planetary surfaces to dry up over time, leaving them arid and incapable of supporting habitable life. Cosmic rays, however, are deflected away from Earth, however, since it’s shielded by its magnetic field.

    Now, a team of researchers led by the Lawrence Livermore National Laboratory (LLNL) believe that Super-Earths - planets that are more massive than Earth but less than Neptune - may have magnetic fields too. Their defensive bubbles, in fact, are estimated to stay intact for longer than the one around Earth, meaning life on their surfaces will have more time to develop and survive.

    Continue reading

Biting the hand that feeds IT © 1998–2022