Microsoft has been actively tracking a widespread credential phishing campaign employing open redirector associates. Attackers blend these links with social engineering baits that impersonate well-known productivity tools and services to lure users into clicking. Doing so leads to a series of redirections–including a CAPTCHA verification page that adds a sense of legitimacy and attempts to evade some automated analysis systems–before taking the user to a fake sign-in page. This ultimately should contribute to credential compromise, which opens the user and their organization to other attacks.

The use of open redirects in email communications is common among organizations for various reasons. For example, marketings and marketing campaigns use this feature to lead customers to a desired landing web page and track click rates and other metrics. However, attackers could mistreat open redirects to link to a URL in a trusted realm and embed the eventual final malicious URL as a parameter. Such mistreat may prevent users and security answers from quickly recognizing possible malicious intent.

For instance, users trained to hover on associates and inspect for malicious artifacts in emails are nevertheless realize a realm they trust and thus click it. Likewise, traditional email gateway answers may inadvertently allow emails from this campaign to pass through because their fixes have been trained to recognize the primary URL without necessarily checking the malicious parameters hiding in plain sight.

Diagram showing attack chain of phishing campaigns that use open redirect links

Figure 1. Attack chain for the open redirect phishing campaign

This phishing campaign is also notable for its use of a wide variety of domains for its sender infrastructure–another attempt to evade detection. These include free email domains from numerous country code top-level domains( ccTLDs ), compromised legitimate domains, and attacker-owned domain generated algorithm( DGA) domains. As of this writing, “were having” observed at least 350 unique phishing domains used for this campaign. This not only shows the scale with which this attack is being conducted, but it also demonstrates how much the attackers are investing in it, indicating potentially significant payoffs.

Today’s email threats are dependent upon three things to be effective: a convincing social engineering lure, a well-crafted detection evasion technique, and a durable infrastructure to carry out an attack. This phishing campaign exemplifies the perfect blizzard of these elements in its attempt to steal credentials and ultimately infiltrate a network. And given that 91% of all cyberattacks originate with email, Organizations must therefore have a security solution that will provide them multilayered defense against these types of attacks.

Microsoft Defender for Office 365 detects these emails and being prevented from being delivered to user inboxes applying multiple layers of dynamic protection engineerings, including a built-in sandbox that examines and explosion all the open redirector associates in the messages, even in situations where the landing page involves CAPTCHA verification. This ensures that even the embedded malicious URLs are identified and blocked. Microsoft Defender for Office 365 is backed by Microsoft experts who enrich the threat intelligence that feeds into our solutions through expert monitoring of email campaigns.

Attack analysis: Credential phishing via open redirector relates

Credential phishing emails represent an extremely prevalent route for menace actors to gain a foothold in a network. The employ of open redirects from legitimate domains is far from new, and performers continue to abuse its ability to overcome common precautions.

Phishing continues to grow as a dominant assault vector with the objectives set out in harvesting consumer credentials. From our 2020 Digital Defense Report, we blocked over 13 billion malicious and suspicious mails in the previous year, with more than 1 billion of those emails classified as URL-based phishing threats.

In this campaign, we noticed that the emails seemed to follow a general pattern that displayed all the email content in a container with a large button that led to credential harvesting pages when clicked. The theme lines for the emails varied depending on the tool they impersonated. In general, we realise that the subject lines contained the recipient’s domain and a timestamp as is a demonstration of the instances below 😛 TAGEND

[ Recipient username] 1 New Notification Report Status for[ Recipient Domain Name] at[ Date and Time] Zoom Meeting for[ Recipient Domain Name] at[ Date and Time] Status for[ Recipient Domain Name] at[ Date and Time] Password Notification for[ Recipient Domain Name] at[ Date and Time] [Recipient username] eNotification

Screenshot of email that uses open redirect link

Figure 2. Sample phishing email masquerading as an Office 365 notification

Once recipients hover their cursor over the link or button in the email, they are shown the full URL. However, since the actors set up open redirect connects employing a legitimate service, users understand a legitimate domain name that is likely associated with a company they know and trust. We believe that attackers mistreat this open and reputable platform to attempt evading detection while redirecting potential victims to phishing sites.

Screenshot of email showing open redirector link when mouse is hovered the link in the email

Figure 3. Hover tip prove an open redirect is connected with a legitimate realm and phishing associate in the URL parameters

The final realms used in the campaigns observed during this period largely follow a specific domain-generation algorithm( DGA) pattern and use. xyz and. club TLDs. The “Re-view invitation” button in Figure 3 points to a URL with a trusted realm followed by parameters, with the actor-controlled domain( c-hi [.] xyz) hidden in plain sight.

Figure 4. The actor-controlled domain uses a DGA pattern and a. XYZ top-level domain

In August, we saw a fresh spam run from this campaign that used a somewhat updated Microsoft-spoofing lure and redirect URL but leveraged the same infrastructure and redirection chain.

Figure 5. Sample phishing email from a recent spam run away from this phishing campaign

These crafted URLs are made possible by open redirection services currently in use by legitimate organizations. Such redirection services typically let organizations to send out campaign emails with links that redirect to secondary realms from their own domains. For example, a hotel might use open redirects to take email recipients to a third-party booking website, while still using their primary realm in associates embedded in their campaign emails.

Attackers abuse this functionality by redirecting to their own malicious infrastructure, while still maintaining the legitimate domain in the full URL. The organizations whose open redirects are being abused are perhaps unaware that this is even occurring.

Redirecting to phishing pages

Users who clicked one of the crafted redirect links are sent to a page in attacker-owned infrastructure. These pages use Google reCAPTCHA services to perhaps escape strives at dynamically scanning and checking the contents of the page, avoiding some analysis systems from advancing to the actual phishing page.

Screenshot of landing page with CAPTCHA challenge

Figure 6. reCAPTCHA service used by phishing page

Upon completion of the CAPTCHA verification, the user is shown a site that impersonates a legitimate service, such as Microsoft Office 365, which asks the user for their password. The website is prepopulated with the recipient’s email address to add legitimacy to the request. This technique leverages familiar single sign-on( SSO) behavior to trick users into keying in corporate credentials or other credentials associated with the email address.

To do this, attackers mail unique URLs to each recipient with PHP parameters that make tailored information to render in the phishing page. In some instances, phishing pages are specially crafted to include company logos and other branding tied to the recipient’s domain.

Screenshnot of phishing page

Figure 7. Fake sign-in page prefilled with funding recipients email address alongside a sham error message prompting users to re-enter their passwords

If the user enters their password, the page freshens and presentations an error message stating that the page period out or the password was incorrect and that they must enter their password again. This is likely done to get the user to enter their password twice, permitting attackers to ensure they obtain the correct password.

Once the user enters their password a second time, the page directs to a legitimate Sophos website that claims the email message has been released. This adds another layer of false legitimacy to the phishing campaign.

Screenshot of legitimate website that phishing page redirects to

Figure 8. Legitimate Sophos page displayed after users re-enter their passwords

Tracking attacker-controlled domains

Some of the domains applied this campaign include the following 😛 TAGEND

c-tl [.] xyz a-cl[.]xyz j-on [.] xyz p-at[.]club i-at [.] club f-io[.]online

For the observed campaigns, the sender infrastructure was fairly unique and notable as the actors used a wide variety of sender realms, with most of the domains having at least one of the following characteristics 😛 TAGEND

Free email domains Compromised legitimate realms Domains ending in. co.jp Attacker-owned DGA domains

Many of the final domains hosting the phishing pages follow a particular DGA pattern 😛 TAGEND

[ letter] -[ letter ][ letter ]. xyz [letter]-[letter][letter].club

The free email domains span a wide variety of ccTLDs, such as 😛 TAGEND

de com.mx com.au ca

The attacker-owned DGA domains follow a few distinct patterns, including 😛 TAGEND

[ word or string of characters] -[ word ][ number ], incrementing by one, for example: masihtidur-shoes0 8[ .] com [number][word or string of characters] -[ number ], incrementing by one, for example: 23 moesian-1 7 [.] com [word][word][number], incrementing by one, for example: notoficationdeliveryamazon1 0 [.] com [word or letters ][ number] -[ number ], incrementing by one, for example: dak1 2shub-3 [.] com

While these are the most prevalent patterns observed by Microsoft security researchers, over 350 unique domains have been observed during these campaigns.

How Microsoft Defender for Office 365 protects against modern email menaces

The abuse of open redirectors represents an ongoing threat that Microsoft experts constantly monitor, along with other threat trends and attacker techniques used in onslaughts today. Microsoft’s breadth of visibility into menaces working in partnership with our deep understanding of how attackers operate will continue to inform the advanced protection delivered by Microsoft Defender for Office 365 against email-based attacks.

For mitigations against the abuse of open redirector relates via known third-party platforms or services, consumers are advised to follow the recommended best practices of their service providers, such as updating to the latest software version, if applicable, to prevent their domains from being abused in future phishing attempts.

Microsoft Defender for Office 365 protects customers from this menace by leverages its deep visibility into email threats and advanced detecting technologies powered by AI and machine learning. We strongly recommend that organizations configure recommended fixes in Microsoft Defender for Office 365, such as applying anti-phishing, Safe Links, and Safe Attachments policies. We likewise recommend installing the Report Message add-in for Outlook to enable users to report suspicious messages to their security teams and optionally to Microsoft.

Attack simulation lets organisations operate realistic, yet safe, simulated phishing and password strike campaigns in their own organizations. These simulated onslaughts can help identify and find vulnerable users before a real attack makes a real impact.

Investigation abilities in Microsoft Defender 365 allows organizations to respond phishing and other email-based attacks. Microsoft 365 Defender correlates signals from emails and other domains to deliver coordinated defense. Microsoft Defender for Endpoint blocks malicious files and other malware as well as malicious behavior that result from initial access via email. Microsoft Defender SmartScreen integrates with Microsoft Edge to block malicious websites, including phishing websites, scam websites, and other malicious websites, while Network protection blocks connections to malicious domains and IP addresses.

Learn how you can stop credential phishing and other email threats through comprehensive, industry-leading protection with Microsoft Defender for Office 365.

Microsoft 365 Defender Threat Intelligence Team

Advanced hunting queries

To locate possible credential phishing activity, run the following advanced hunting queries in Microsoft 365 Defender.

Open redirect URLs in t-dot format

Find URLs in emails with a leading “t”, indicating possible open redirect URLs. Note: the purpose of applying a redirector URL does not necessitate malicious behaviour. You must verify whether the emails surfaced via this AHQ are legitimate or malicious.

EmailUrlInfo | where Url matches regex @”s ?\:\/\/(?: www \.)? t \.(?:[\ w \ – \.]+\/+)+(?: r | redirect )\/?\? “

Open redirect URLs pointing to attacker infrastructure

Find URLs in emails possibly crafted to redirect to attacker-controlled URLs.

EmailUrlInfo //This regex narrows in on emails that contain the known malicious domain pattern in the URL from the most recent campaigns | where Url matches regex @” ^[ a-z-AZ ]\ -[ a-z-AZ ] 2 \.( xyz | fraternity | store | online) ”

Indicators of compromise

Following is a list of realms that match the DGA pattern used in sender addresses in this and other malicious campaigns. Note that these have not all been observed in mail flow related to this campaign.

masihtidur-shoes0 8[ .] com masihtidur-shoes07[.]com masihtidur-shoes0 4 [.] com

masihtidur-shoes0 2 [.] com masihtidur-shoes01[.]com wixclwardwual-updates9 [.] com

wixclwardwual-updates8 [.] com wixclwardwual-updates7[.]com wixclwardwual-updates6 [.] com

wixclwardwual-updates5 [.] com wixclwardwual-updates10[.]com wixclwardwual-updates1 [.] com

zxcsaxb-good8 [.] com zxcsaxb-good6[.]com zxcsaxb-good5 [.] com

zxcsaxb-good4 [.] com zxcsaxb-good3[.]com zxcsaxb-good1 0 [.] com

trashxn-euyr9 [.] com trashxn-euyr7[.]com trashxn-euyr6 [.] com

trashxn-euyr5 [.] com trashxn-euyr3[.]com trashxn-euyr2 0 [.] com

trashxn-euyr2 [.] com trashxn-euyr19[.]com trashxn-euyr1 8[ .] com

trashxn-euyr1 7 [.] com trashxn-euyr16[.]com trashxn-euyr1 5 [.] com

trashxn-euyr1 4 [.] com trashxn-euyr12[.]com trashxn-euyr1 1 [.] com

trashxn-euyr1 0 [.] com trashxn-euyr1[.]com berangberang-9 [.] com

berangberang-7 [.] com berangberang-12[.]com berangberang-6 [.] com

notoficationdeliveryamazon8 [.] com berangberang-8[.]com berangberang-3 [.] com

berangberang-4 [.] com berangberang-10[.]com berangberang-1 1 [.] com

berangberang-1 3 [.] com berangberang-5[.]com 77 support-update2 3-4 [.] com

posher8 76 ffffff-3 0 [.] com posher876ffffff-5[.]com posher8 76 ffffff-2 5 [.] com

fenranutc0x 24 ai-1 1 [.] com organix-xtc21[.]com fenranutc0x 24 ai-1 3 [.] com

fenranutc0x 24 ai-4 [.] com fenranutc0x24ai-17[.]com fenranutc0x 24 ai-1 8[ .] com

adminsecurity1 02 [.] com adminsecurity101[.]com 23 moesian-1 7 [.] com

23 moesian-1 0 [.] com 23moesian-11[.]com 23 moesian-2 6 [.] com

23 moesian-1 9 [.] com 23moesian-2[.]com cokils2ptys- 3 [.] com

cokils2ptys- 1 [.] com 23moesian-20[.]com 23 moesian-1 5 [.] com

23 moesian-1 8[ .] com 23moesian-16[.]com sux7 1a37-net19 [.] com

sux7 1a37-net1 [.] com sux71a37-net25[.]com sux7 1a37-net14 [.] com

sux7 1a37-net18 [.] com sux71a37-net15[.]com sux7 1a37-net12 [.] com

sux7 1a37-net13 [.] com sux71a37-net20[.]com sux7 1a37-net11 [.] com

sux7 1a37-net27 [.] com sux71a37-net2[.]com sux7 1a37-net21 [.] com

bimspelitskalix-xuer9 [.] com account-info005[.]com irformainsition0 971 a8-net16 [.] com

bas9oiw 88 remnisn-1 2 [.] com bas9oiw88remnisn-27[.]com bas9oiw 88 remnisn-2 6 [.] com

bas9oiw 88 remnisn-1 1 [.] com bas9oiw88remnisn-10[.]com bas9oiw 88 remnisn-5 [.] com

bas9oiw 88 remnisn-1 3 [.] com bas9oiw88remnisn-1[.]com bas9oiw 88 remnisn-7 [.] com

bas9oiw 88 remnisn-3 [.] com bas9oiw88remnisn-20[.]com bas9oiw 88 remnisn-8 [.] com

bas9oiw 88 remnisn-2 3 [.] com bas9oiw88remnisn-24[.]com bas9oiw 88 remnisn-4 [.] com

bas9oiw 88 remnisn-2 5 [.] com romanseyilefreaserty0824r-2[.]com romanseyilefreaserty0 824 r-1 [.] com

sux7 1a37-net26 [.] com sux71a37-net10[.]com sux7 1a37-net17 [.] com

maills-activitymove0 2 [.] com maills-activitymove04[.]com solution2 3-servviue-26 [.] com

maills-activitymove0 1 [.] com copris7-yearts-6[.]com copris7-yearts- 9 [.] com

copris7-yearts- 5 [.] com copris7-yearts-8[.]com copris7-yearts- 37 [.] com

securityaccount1 02 [.] com copris7-yearts-4[.]com copris7-yearts- 40 [.] com

copris7-yearts- 7 [.] com copris7-yearts-38[.]com copris7-yearts- 39 [.] com

romanseyilefreaserty0 824 r-6 [.] com rick845ko-3[.]com rick8 45 ko-2 [.] com

rick8 45 ko-1 0 [.] com fasttuamz587-4[.]com winb2as-wwersd 76 -1 9 [.] com

winb2as-wwersd 76 -4 [.] com winb2as-wwersd76-6[.]com org7 7supp-minty662-8 [.] com

winb2as-wwersd 76 -1 8[ .] com winb2as-wwersd76-1[.]com winb2as-wwersd 76 -1 0 [.] com

org7 7supp-minty662-9 [.] com winb2as-wwersd76-12[.]com winb2as-wwersd 76 -2 0 [.] com

account-info0 03 [.] com account-info012[.]com account-info0 02 [.] com

laser9 078 -ter1 7 [.] com account-info011[.]com account-info0 07 [.] com

notoficationdeliveryamazon1 [.] com notoficationdeliveryamazon20[.]com notoficationdeliveryamazon7 [.] com

notoficationdeliveryamazon1 7 [.] com notoficationdeliveryamazon12[.]com contackamazon1 [.] com

notoficationdeliveryamazon6 [.] com notoficationdeliveryamazon5[.]com notoficationdeliveryamazon4 [.] com

notoficationdeliveryamazon1 8[ .] com notoficationdeliveryamazon13[.]com notoficationdeliveryamazon3 [.] com

notoficationdeliveryamazon1 4 [.] com gaplerr-xt5[.]com posher8 76 ffffff-2 9 [.] com

kenatipurecehkali-xt3 [.] com kenatipurecehkali-xt13[.]com kenatipurecehkali-xt4 [.] com

kenatipurecehkali-xt1 2 [.] com kenatipurecehkali-xt5[.]com wtbwts-junet1 [.] com

kenatipurecehkali-xt6 [.] com hayalanphezor-2sit[.]com hayalanphezor-1sit [.] com

noticesumartyas-sc2 4 [.] com noticesumartyas-sc13[.]com noticesumartyas-sc2 [.] com

noticesumartyas-sc1 7 [.] com noticesumartyas-sc22[.]com noticesumartyas-sc5 [.] com

noticesumartyas-sc4 [.] com noticesumartyas-sc21[.]com noticesumartyas-sc2 5 [.] com

appgetbox3 [.] com notoficationdeliveryamazon19[.]com notoficationdeliveryamazon1 0 [.] com

appgetbox9 [.] com appgetbox8[.]com appgetbox6 [.] com

notoficationdeliveryamazon2 [.] com appgetbox7[.]com appgetbox5 [.] com

notoficationdeliveryamazon2 3 [.] com appgetbox10[.]com notoficationdeliveryamazon1 6 [.] com

hvgjgj-shoes0 8[ .] com hvgjgj-shoes13[.]com jgkxjhx-shoes0 9 [.] com

hvgjgj-shoes1 5 [.] com hvgjgj-shoes16[.]com hvgjgj-shoes1 8[ .] com

hvgjgj-shoes2 0 [.] com hvgjgj-shoes12[.]com jgkxjhx-shoes0 2 [.] com

hvgjgj-shoes1 0 [.] com jgkxjhx-shoes03[.]com hvgjgj-shoes1 1 [.] com

hvgjgj-shoes1 4 [.] com jgkxjhx-shoes05[.]com jgkxjhx-shoes0 4 [.] com

hvgjgj-shoes1 9 [.] com jgkxjhx-shoes08[.]com hpk0 2h21yyts-6 [.] com

romanseyilefreaserty0 824 r-7 [.] com gets25-amz[.]net gets3 0-amz [.] net

gets2 7-amz [.] net gets28-amz[.]net gets2 9-amz [.] net

gets3 2-amz [.] net gets3-amz[.]net gets3 1-amz [.] net

noticesumartyas-sc1 9 [.] com noticesumartyas-sc23[.]com noticesumartyas-sc1 8[ .] com

noticesumartyas-sc1 5 [.] com noticesumartyas-sc20[.]com noticesumartyas-sc1 6 [.] com

noticesumartyas-sc2 9 [.] com rick845ko-1[.]com bas9oiw 88 remnisn-9 [.] com

rick8 45 ko-5 [.] com bas9oiw88remnisn-21[.]com bas9oiw 88 remnisn-2 [.] com

bas9oiw 88 remnisn-1 9 [.] com rick845ko-6[.]com bas9oiw 88 remnisn-2 2 [.] com

bas9oiw 88 remnisn-1 7 [.] com bas9oiw88remnisn-16[.]com adminmabuk1 03 [.] com

account-info0 08 [.] com suppamz2-piryshj01-3[.]com dak1 2shub-1 [.] com

securemanageprodio-0 2 [.] com securemanageprodio-05[.]com securemanageprodio-0 1 [.] com

dak1 2shub-3 [.] com dak12shub-9[.]com dak1 2shub-8 [.] com

dak1 2shub-6 [.] com dak12shub-10[.]com dak1 2shub-4 [.] com

securemanageprodio-0 3 [.] com org77supp-minty662-7[.]com winb2as-wwersd 76 -7 [.] com

org7 7supp-minty662-10 [.] com bimspelitskalix-xuer2[.]com gets3 4-amz [.] net

gets3 5-amz [.] net service-account-7254[.]com service-account-7 6357 [.] com

service-account-7 247 [.] com account-info004[.]com service-account-5 315 [.] com

bas9oiw 88 remnisn-1 4 [.] com solution23-servviue-23[.]com organix-xtc1 8[ .] com

romanseyilefreaserty0 824 r-4 [.] com hayalanphezor-7sit[.]com bimspelitskalix-xuer7 [.] com

securemanageprodio-0 4 [.] com solution23-servviue-15[.]com solution2 3-servviue-1 [.] com

suppamz2-piryshj 01 -9 [.] com suppamz2-piryshj01-6[.]com solution2 3-servviue-25 [.] com

solution2 3-servviue-7 [.] com solution23-servviue-16[.]com solution2 3-servviue-11 [.] com

solution2 3-servviue-27 [.] com romanseyilefreaserty0824r-5[.]com cokils2ptys- 6 [.] com

solution2 3-servviue-9 [.] com solution23-servviue-19[.]com solution2 3-servviue-8 [.] com

solution2 3-servviue-17 [.] com solution23-servviue-18[.]com suppamz2-piryshj 01 -1 [.] com

solution2 3-servviue-30 [.] com solution23-servviue-13[.]com solution2 3-servviue-12 [.] com

solution2 3-servviue-10 [.] com solution23-servviue-4[.]com solution2 3-servviue-20 [.] com

solution2 3-servviue-24 [.] com solution23-servviue-5[.]com solution2 3-servviue-14 [.] com

service-account-7 243 [.] com service-account-735424[.]com service-account-8 457845 [.] com

service-account-3 74567 [.] com service-account-764246[.]com service-account-7 62441 [.] com

gxnhfghnjzh8 09 [.] com xcfhjxfyxnhnjzh10[.]com accountservicealert0 02 [.] com

accountservicealert0 03 [.] com care887-yyrtconsumer23-24[.]com bas9oiw 88 remnisn-1 5 [.] com

care8 87 -yyrtconsumer2 3-23 [.] com care887-yyrtconsumer23-27[.]com care8 87 -yyrtconsumer2 3-25 [.] com

care8 87 -yyrtconsumer2 3-26 [.] com laser9078-ter11[.]com bimspelitskalix-xuer6 [.] com

laser9 078 -ter1 0 [.] com hayalanphezor-6sit[.]com hayalanphezor-4sit [.] com

hayalanphezor-3sit [.] com romanseyilefreaserty0824r-3[.]com solution2 3-servviue-6 [.] com

ressstauww-6 279 -3 [.] com ressstauww-6279-10[.]com sytesss-tas7 [.] com

ressstauww-6 279 -7 [.] com ressstauww-6279-1[.]com hvgjgj-shoes0 1 [.] com

ketiak-muser1 4 [.] com ketiak-muser13[.]com ketiak-muser1 5 [.] com

spammer-comingson0 1 [.] com spammer-comingson02[.]com spammer-comingson0 4 [.] com

spammer-comingson0 5 [.] com spammer-comingson07[.]com posidma-posidjar0 1 [.] com

posidma-posidjar0 3 [.] com posidma-posidjar05[.]com posidma-posidjar0 6 [.] com

tembuslah-bandar0 1 [.] com tembuslah-bandar02[.]com tembuslah-bandar0 3 [.] com

tembuslah-bandar0 4 [.] com tembuslah-bandar05[.]com tembuslah-bandar0 6 [.] com

tembuslah-bandar0 7 [.] com tembuslah-bandar08[.]com tembuslah-bandar0 9 [.] com

tembuslah-bandar1 0 [.] com

The post Widespread credential phishing campaign abuses open redirector connects appeared first on Microsoft Security Blog.

Read more: microsoft.com