Microsoft has warned users about a credential-phishing campaign it has been tracking. The campaign uses open redirector links that Microsoft says Defender can thwart.
The company said in a statement that attackers combine the links and social engineering ploys impersonating well-known productivity tools and services. Users are lured into clicking the links and through a series of redirections (including a CAPTCHA verification to mimic legitimacy) are sent to a fake sign-in page.
The news comes from the Microsoft 365 Defender Threat Intelligence Team, who posted it in a blog on Thursday.
The open redirect used in the attack refers to when a web application allows an HTTP parameter to contain a user-supplied URL that makes the HTTP request be redirected to the referenced source.
Microsoft says that open redirects have legitimate applications, especially in sales and marketing campaigns that lead customers to landing pages and collect web metrics. However, they are also commonly abused.
The messages in the campaign, according to Microsoft, follow a pattern. The generic lines used usually appear like so:
- [Recipient username] 1 New Notification
- Report Status for [Recipient Domain Name] at [Date and Time]
- Zoom Meeting for [Recipient Domain Name] at [Date and Time]
- Status for [Recipient Domain Name] at [Date and Time]
- Password Notification for [Recipient Domain Name] at [Date and Time]
- [Recipient username] eNotification
When opened, the message brings up a button to show the notification. The button links to a trusted domain appended with redirection parameters in a way that looks convincing to the casual user.
Less savvy users who do not understand URLs and appended parameters will almost always fall for this. Combined with the Google reCAPTCHA page, it creates the perfect con to dupe many users. Microsoft says that even though the attack is sophisticated, its Defender for Office 365 software offers adequate security against it.