Attackers Use Open Redirects to Steal Microsoft 365 Credentials

Hacker using laptop. Lots of digits on the computer screen.

Security researchers have found that cybercriminals are abusing open redirect vulnerabilities in reputable company domains to make their phishing emails more convincing. Between mid-May and late July, researchers at INKY found thousands of phishing emails that exploit these vulnerabilities in American Express and Snapchat domains.

In this case, when a victim clicks on the links in these emails, they are redirected to a Microsoft 365 credential harvesting website.

What is an Open Redirect Vulnerability?

Open redirect vulnerabilities take advantage of the widely prevalent URL redirection infrastructure. Sometimes when you click on a link, it may take you from one destination to another automatically. There are many reasons a website may redirect users, such as a change in their domain, incorrect URLs or spelling errors redirecting to the intended site, and advertising.

However, an attacker could exploit this if a website does not deploy adequate protections. They can send a visitor to an untrusted destination to pry away their personal information, though the link itself looks safe to click. To make matters worse, open redirects cause far more harm to users than vulnerable websites.

“Perhaps websites don’t give open redirect vulnerabilities the attention they deserve because they don’t allow attackers to harm or steal data from the site,” INKY’s blogpost reads.

“From the website operator’s perspective, the only damage that potentially occurs is harm to the site’s reputation. The victims, however, may lose credentials, data, and possibly money.”

Over 8,000 Phishing Emails Exploit Open Redirects

Researchers at INKY, an email security solutions platform, detailed their findings in a blog post last week. They observed attackers exploiting open redirect vulnerabilities in over 8,000 phishing emails. The emails came from hijacked accounts or newly-created domains.

The researchers found 6,812 phishing emails exploiting an open redirect vulnerability in the snapchat[.]com domain. These emails impersonated legitimate companies such as DocuSign, FedEx, and Microsoft. If a recipient clicks on the link in the email, they are taken to a fake Microsoft site that harvests login credentials.

The researchers added that this vulnerability is still unpatched, despite Open Bug Bounty notifying Snapchat in August last year.

Over the span of two days in late July, the researchers observed 2,029 phishing emails exploiting the same vulnerability in the americanexpress[.]com domain. These links also took visitors to Microsoft credential harvesting sites. On a positive note, American Express was quick to patch the vulnerability. The links now take visitors to a legitimate American Express error page.

Phishing attacks have been a common security threat on the internet for decades. The unfortunate truth, though, is they have now evolved from being just a minor annoyance to popping up in inboxes quite regularly. Cybercriminals and their attacks grow in sophistication and appear more realistic by the day.

As we grow increasingly reliant on online services and subscriptions, it is important to stay vigilant and watch out for suspicious emails. Here are some helpful tips for identifying URLs that could redirect users to another site.

  • Look out for URLs which contain characters such as “url=”, “redirect=”, “external-link”, or “proxy.”
  • Check for multiple occurrences of “http” in the URL.
  • Look at the email address of the sender, as fraudsters will use spoofed versions of real domains.

If you want to learn more about these kinds of attacks and tips on how you can protect yourself, check out our detailed phishing guide.

Technology policy researcher
Prateek is a technology policy researcher with a background in law. His areas of interest include data protection, privacy, digital currencies, and digital literacy. Outside of his research interests, Prateek is an avid reader and is engaged in projects on sustainable farming practices in India.