I thought this was interesting and provided a great explanation of the phishing campaign. Using the reCaptcha, during the link redirects, is a good example of building false trust with users in efforts to exploit them.
I also thought the parameter passing approach was particularly devious to avoid detection by email gateways.
Link: Microsoft Warns of Widespread Phishing Attacks Using Open Redirects
This was a very interesting read. I agree the uniqueness of this particular phishing campaign is having the user complete a CAPTCHA verification before allowing them to “sign in”. This does two fold in making the user truly believe they are visiting a legitimate sign in page and by making it so dynamic scanning attempts are blocked. The latter reinforces why it is so important to properly train employees to be security conscious. You can have a system dynamically scanning websites that users are going to but the bad guys will always find a way to get around that. The most effective way to prevent this open redirect phishing attack is by having users recognize the attempt and not even click on the link to begin with.
Great article Matthew!
Microsoft Exchange has really come under fire in recent months with the vulnerabilities in March and new one’s popping up left and right. (Check out my article on 3 new vulnerabilities that are the potential building blocks for an innovative hacker to run off and have a fiesta with ME.)
The time investment that attackers are investing in the attack in your article is alarming. Especially because it’s making it more and more difficult to reach to our work force and say “THIS IS WHAT YOU SHOULD LOOK OUT FOR!” Especially when the “lookout item” is so embedded in a URL that it’s virtually irrecognizeable to an untrained eye. An how do you train the most vulnerable e-mail users? I mean we have a hard time training people as it is and getting them to comply. The screenshots of the embedded domains are mumbo jumbo to most users.
If these techniques can evade analysis by anti-malware engines how can we expect them not to evade our own employees?
~Vanessa
Vanessa,
Thank you. I agree with your points and have been struggling with how to educate users on this. Most of our population is fairly savvy, but this is another level of sophistication. I can see many users getting frustrated by the ever evolving threat landscape.
I’m hopeful that the use of url wrapping by email gateways such as Mimecast will help. We’ve had some success using this with other phishing attempts and are exploring adjusting the policies to look for the domains specified in the article and blocking the initial link resolution.
Email continues to be the primary attack vector for most bad actors.