Cybersecurity Analysts have determined that there has been a recent increase in phishing campaigns against Microsoft 365 users that are leveraging a new targeted multi-layer redirect method. This technique uses trusted tools and legitimate features to trick victims into disclosing sensitive login credentials. Over the past two months, threat actors have redirected potential victims to fraudulent Microsoft 365 pages, showcasing an alarming rise in phishing incidents.
The new technique uses URL obfuscation techniques through link shorteners, using services like Bitly and Proofpoint’s URL Defense. By craftily obfuscating harmful URLs, cybercriminals bolster their success rate. Security analysts have reported that these URLs go through at least a double level of obfuscation. Ultimately, they lead users to phishing web pages designed to harvest credentials.
Rise in Phishing Attacks
The latest Trend Micro statistics show a record high in phishing attempts, with over 25 percent of recent campaigns spoofing Microsoft Teams in email communications. Victims are sent messages saying they have missed messages, which links to a “Reply in Teams” button. Normally, clicking this button takes users to the same kind of credential harvesting pages.
“By cloaking malicious destinations with legitimate urldefense[.]proofpoint[.]com and url[.]emailprotection URLs, these phishing campaigns’ abuse of trusted link wrapping services significantly increases the likelihood of a successful attack,” – Cloudflare.
These customized emails help create a sense of urgency. This requires that recipients blindly click on the embedded links without verifying the sender’s legitimacy. Commonly used platforms, such as Teams, add another layer of trust between users. This greater confidence makes them more prone to box into traps.
Mechanics of Multi-Layer Redirects
The phishing methods used in these campaigns are not just misleading, they’re very sophisticated. Threat actors either abuse open redirects or hack email accounts belonging to users already protected by major providers with their own email security.
“In these campaigns, a threat actor can either abuse an open redirect to link to a rewritten URL, or compromise an email account that belongs to someone with some type of email protection,” – Proofpoint threat researchers.
Once an email account is compromised, the attacker sends phishing emails that contain links rewritten by security services, ensuring that ordinary protections do not flag them as malicious. In doing so, the victim is unknowingly taken through multiple redirect chains, finally landing on a counterfeit page.
“Then, they send an email with a phishing link to the account they have compromised. The security service rewrites the URL, and the threat actor makes sure the link is not blocked. Then, the threat actor will take the rewritten URL and include it in various redirect chains,” – Proofpoint threat researchers.
Innovative Use of SVG Files
Another extra alarming trend in these phishing attacks is the use of Scalable Vector Graphics (SVG) files. Differences in Traditional vs Interactive Image Formats Unlike traditional image formats such as JPEG or PNG, SVG files can include JavaScript and HTML code. This capability enables attackers to circumvent traditional anti-spam and anti-phishing protections with ease.
“Unlike JPEG or PNG files, SVG files are written in XML and support JavaScript and HTML code,” – New Jersey Cybersecurity and Communications Integration Cell (NJCCIC).
In order to launch multi-stage malware infections, vastly amplifying the risks of these attacks. Financial institutions and other high-value targets are the primary victims of these changing techniques. This unprecedented reality has led many cybersecurity experts to call for users to be more aware than ever.
“Unfortunately, instead of ‘rejoining,’ the victim’s credentials along with their IP address, country, and region are exfiltrated via Telegram, a messaging app notorious for ‘secure, encrypted communications,’ and inevitably sent to the threat actor,” – Cofense.
As cyber threats become more innovative, organizations should always be a step ahead in their approach to defense. By putting strong controls in place and training your workforce to identify malicious phishing tactics, you can eliminate a majority of the dangers that these scam artists pose.