Microsoft is Tracking Open Redirect Phishing Campaign
Microsoft is tracking a credential phishing campaign that uses open redirect links to manipulate users into visiting maliciously crafted websites. Microsoft says that the threat actors behind the attacks have used more than 350 unique domains.
Make sure your email and endpoint protection services detect these links. Make sure the URL protection features are enabled. Note that while these tools rewrite URLs and some familiarization is needed, the current encoding used by open redirects which capture user trends and clicks is already heavily encoded making it impractical for a user to visually verify the target URL. Microsoft Defender for Office 365 is included with E5/G5 licensing and has these capabilities.
Open Redirects used to be part of the OWASP Top 10 list of web application vulnerabilities. But while they no longer make the "Top 10", open redirects are common and often underestimated. Their use in phishing is pretty obvious, but in some cases, they can also be used to steal OAUTH credentials.
The Microsoft blog entry notes that “Today’s email threats rely on three things to be effective” but doesn’t list the most important enabling factor: the use of reusable passwords. Microsoft’s own research showed that 99.9% of phishing attacks would not have succeeded if simple text messaging as a second authentication factor was used. Another item in today’s NewsBites has US CISA finally putting single factor authentication in their Bad Practices list, along with using unpatchable software and default passwords.
Read more in
Microsoft: Widespread credential phishing campaign abuses open redirector links
Gov Infosecurity: Microsoft: Beware Phishing Attacks with Open Redirect Links
The Register: Microsoft warns of widespread open redirection phishing attack – which Defender can block, coincidentally
The Hacker News: Microsoft Warns of Widespread Phishing Attacks Using Open Redirects