This news follows last month’s warning regarding a different phishing attack, also concerning Microsoft users.
Attack Relies on ‘Open Redirects’ Tool
The campaign relies on multiple links that attempt to fool users. Clicking on a link in the phishing campaign causes a series of redirections, which first lead the user to a Google reCaptcha page. The user is then directed to a malicious login page, where their Office 365 credentials are stolen. On this fake Microsoft 365 login page, the user’s email address is already entered. Once they enter their password, they will then receive a fake error message prompting them to re-enter their password. The user then moves to a legitimate Sophos page, which adds another layer of legitimacy to the campaign. According to the Microsoft 365 Defender Threat Intelligence Team, attackers could abuse this ‘Open Redirects’ tool to “link to a URL in a trusted domain and embed the eventual final malicious URL as a parameter.” This could also prevent users and security solutions from detecting malicious intent.
Google Says Open Redirects are Not a Security Vulnerability
The attack exploits a common safety practice that users rely on to check for malicious websites. Users who hover their mouse over links and buttons would still see a domain name they trust — and are therefore highly likely to click on them. According to Google, Open Redirects is not a security vulnerability per se. However, it does display a redirect notice in the browser. Google also disputes that hovering over a link to see the destination address is a useful phishing protection tip. Google said that tooltips “are not a reliable security indicator and can be tampered with in so many ways.” “We generally hold that a small number of properly monitored redirectors offers fairly clear benefits and poses very little practical risk,” it added.
Microsoft Security Issues Rise in Number
Last month, Microsoft warned its users of a convincing new phishing scam, where attackers used strongly-spoofed email addresses and other crafty techniques to bypass phishing filters undetected. Microsoft called the campaign especially crafty, as it employed several techniques to try and trick users. Phishing emails were loaded with Microsoft logos and other convincing details, and the phishing attack bypassed sandboxes through multiple sign-ins. Microsoft’s corporate clients have also fallen victim to security risks. Earlier this month, an Israel-based research company discovered a vulnerability in Microsoft Azure Cosmos DB’s databases. While Microsoft is quick to address security issues as they arise, the number of risks posed by online apps and software continues to mount. For more information on staying safe online, check out our resource here.
