Security News > 2021 > August > Microsoft warns of widespread open redirection phishing attack – which Defender can block, coincidentally

Microsoft has warned that it has been tracking a widespread credential-phishing campaign that relies on open redirector links, while simultaneously suggesting it can defend against such schemes.
Microsoft says that open redirects have legitimate uses, pointing to the way sales and marketing campaigns rely on them to lead customers to specific landing pages and to gather web metrics.
To further convey the illusion of safety and legitimacy, the redirection takes the victim to a Google reCAPTCHA page, which Microsoft theorizes also serves to frustrate dynamic scanning and content checking of the phishing page at the end of the redirection.
The scam site loads with the target's email address - passed to the phishing page as a parameter in the phishing URL - and often with corporate logos or other branding to make the login page look more like it's implementing common single sign-on behavior.
Microsoft says it has detected at least 350 unique phishing domains involved in this campaign.
The scheme appears to have the potential to go far beyond that - the redirection URLs come from a domain-generation algorithm that creates phishing domains on the fly, as needed.
News URL
https://go.theregister.com/feed/www.theregister.com/2021/08/27/microsoft_phishing_defender/
Related news
- Microsoft: Hackers steal emails in device code phishing attacks (source)
- CISA tags Microsoft .NET and Apache OFBiz bugs as exploited in attacks (source)
- Critical RCE bug in Microsoft Outlook now exploited in attacks (source)
- Microsoft Identifies 3,000 Leaked ASP.NET Keys Enabling Code Injection Attacks (source)
- Microsoft Uncovers Sandworm Subgroup's Global Cyber Attacks Spanning 15+ Countries (source)
- Microsoft: Russian-Linked Hackers Using 'Device Code Phishing' to Hijack Accounts (source)
- Darktrace: 96% of Phishing Attacks in 2024 Exploited Trusted Domains Including SharePoint & Zoom Docs (source)
- Phishing attack hides JavaScript using invisible Unicode trick (source)
- Microsoft fixes Power Pages zero-day bug exploited in attacks (source)
- Botnet targets Basic Auth in Microsoft 365 password spray attacks (source)