Researchers at GreatHorn warn that a large-scale phishing campaign is using open redirects to evade email security filters. Open redirects allow attackers to take a URL from a non-malicious website and tack on a redirect, so that when the link is clicked it will take the user to a phishing page. This results in a phishing link that can fool both humans and technology. A human may inspect the URL and conclude that it will take them to a legitimate site, while security filters will struggle to flag the link as malicious.
“The Threat Intelligence Team described this campaign as a ‘comprehensive and multi-pronged attack,’ with multiple hosting services and web servers being used to host fraudulent Office 365 login pages,” the researchers write. “Malicious links, delivered via phishing emails to regular users worldwide, are bypassing their email providers’ native security controls and slipping past nearly every legacy email security platform on the market.”
Based on similarities in the phishing emails and malicious sites, GreatHorn believes a single actor is behind the campaign.
“The URLs in the phishing emails sent to users vary,” the researchers write. “Some employ redirects; others point directly at the phishing kit pages. The phishing kit itself uses the same naming structure in nearly all cases: http://t.****/r/, where *** represents the domain. However, the URL path varies across individual messages, as part of a common tactic used to bypass simple blocking rules that prevent these messages from reaching users.”
The phishing pages are designed to steal credentials, but they also contain JavaScript that will install malware on the victim’s computer.
“The phishing webpages impersonate a Microsoft Office 365 login, using the Microsoft logo and requesting that users enter their password, verify their account, or sign-in,” GreatHorn says. “Given this campaign’s breadth and highly targeted nature, the sophistication and complexity suggest that the attackers’ significant coordinated effort is underway. Additionally, GreatHorn’s Threat Research Intelligence Team identified attempts to deploy the Cryxos trojan on multiple browsers, including Chrome and Safari.”
New-school security awareness training can prepare your employees to identify and thwart phishing emails that bypass your technical defenses.
GreatHorn has the story.