Microsoft is warning of a widespread phishing campaign in which open redirect links in emails trick users into visiting malicious websites while bypassing security software.

“Attackers combine these links with social engineering baits that impersonate well-known productivity tools and services to lure users into clicking,” Microsoft 365 Defender Threat Intelligence Team said in a report.

“Doing so leads to a series of redirections – including a CAPTHCHA verification page that adds a sense of legitimacy and attempts to evade some automated analysis systems – before taking the user to a fake sign-in page. This ultimately leads to credential compromise, which opens the user and their organization to other attacks.”

To lead potential victims to phishing sites, redirect URLs in phishing messages are set up using legitimate services, while the final actor-controlled domains in the link leverages top-level domains such as .xyz, .club and .online.  These are passed as parameters so as to sneak past email gateway solutions.

In this particular campaign, Microsoft has observed at least 350 unique phishing domains – another attempt to obscure detection – underscoring the campaign’s use of convincing social engineering lures that appear to be notification messages from apps like Office 365 and Zoom, a well-crafted detection technique, and a durable infrastructure to carry out the attacks.

“This not only shows the scale with which this attack is being conducted, but it also demonstrates how much the attackers are investing in it, indicating potentially significant payoffs,” the researcher said.

To give off an appearance of authenticity, the redirect link guides a user to a malicious page that requires the user to complete the Google reCAPTCHA to block dynamic scanning attempts. When completing the CAPTCHA verification, the victims are taken to a fake login page mimicking a popular service like Microsoft Office 365. Once the user’s login credentials are entered here, their information is stolen by the attacker.

“This phishing campaign exemplifies the perfect storm of [social engineering, detection evasion, and a large attack infrastructure] in its attempt to steal credentials and ultimately infiltrate a network,” the researchers said. “And given that 91% of all cyberattacks originate with email, organizations must therefore have a security solution that will provide them multi-layered defense against these types of attacks.”

Story via The Hacker News