Attackers Using HTTP Response Headers to Redirect Victims to Phishing Pages

Phishing Student Researchers at Palo Alto Networks’ Unit 42 warn that attackers are using refresh entries in HTTP response headers to automatically redirect users to phishing pages without user interaction.

“Unit 42 researchers observed many large-scale phishing campaigns in 2024 that used a refresh entry in the HTTP response header,” the researchers write.

“From May-July we detected around 2,000 malicious URLs daily that were associated with campaigns of this type. Unlike other phishing webpage distribution behavior through HTML content, these attacks use the response header sent by a server, which occurs before the processing of the HTML content.

Malicious links direct the browser to automatically refresh or reload a webpage immediately, without requiring user interaction.”

Many of these phishing attacks are targeting employees at companies in the business and economy sector, as well as government entities and educational organizations.

“Attackers predominantly distribute the malicious URLs in the phishing campaigns via emails,” Unit 42 says. “These emails consistently include recipients' email addresses and display spoofed webmail login pages based on the recipients' email domain pre-filled with the users’ information. They largely target people in the global financial sector, well-known internet portals, and government domains. Since the original and landing URLs are often found under legitimate or compromised domains, it is difficult to spot malicious indicators within a URL string.”

Unit 42 adds that attackers are also using URL parameters to pre-fill login forms with victims’ email addresses, increasing the phishing attack’s appearance of legitimacy.

“Many attackers also employ deep linking to dynamically generate content that appears tailored to the individual target,” the researchers write. “By using parameters in the URL, they pre-fill sections of a form, enhancing the credibility of the phishing attempt. This personalized approach increases the likelihood that the attacker will deceive the victim. Attackers have exploited this mechanism because it enables them to load phishing content with minimum effort while concealing the malicious content.”

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Unit 42 has the story.

Will your users respond to phishing emails?

KnowBe4's Phishing Reply Test (PRT) is a complimentary IT security tool that makes it easy for you to check to see if key users in your organization will reply to a highly targeted phishing attack without clicking on a link. PRT will give you quick insights into how many users will take the bait so you can take action to train your users and better protect your organization from these fraudulent attacks!

Here's how it works: