In order to trick users, phishing campaigns are taking advantage of URL obfuscation and notifications that their O365 passwords are about to expire.
Attackers leverage these tactics to mimic legitimate O365 communication, tricking victims into clicking on malicious links and subsequently entering their credentials on fraudulent login pages, compromising their accounts.
Phishing emails targeting client servers utilize subject lines like “ACTION Required – [Client] Server SecurityID:[random string]” and contain a clickable button urging password reconfirmation due to alleged expiry, aiming to steal user credentials.
The malicious URLs that redirect users to phishing sites are disguised by attackers through the use of obfuscation processes.
They leverage the “@” symbol in URLs to obfuscate malicious domains, tricking users into visiting harmful websites (e.g., globaltouchmassage[.]net) while displaying a seemingly legitimate domain in the address bar.
The issues with the URLs include excessive use of %20 encoding for spaces and an unexpected @ symbol that segments the URL, effectively discarding the portion preceding it and treating the subsequent part as the actual domain.
Redirectors and common phishing templates from Tycoon 2FA, Mamba 2FA, and EvilProxy kits were utilized by the threat actor in order to compromise unwary individuals.
URLs with the “@” symbol trigger browser authentication as browsers interpret everything before “@” as credentials and redirect to the domain after it that exploits URL structure by mimicking legitimate services like YouTube to deceive users into trusting and clicking malicious links.
According to Cyderes, the email contains a phishing URL that disguises itself as a legitimate YouTube link, which redirects users to a malicious website that may attempt to steal their personal information or install malware on their devices.
Because the subject line of the email gives the impression that it is coming from a reliable source, it is intended to deceive recipients into clicking on the link.
Phishing emails can be mitigated through user education on identifying suspicious URLs and emails, technical controls like URL filtering and sandboxing, and prompt reporting to IT security teams.
Phishing attacks exploit trust in legitimate services by mimicking legitimate websites. To mitigate risk, organizations must implement robust security measures, including employee training on phishing awareness and regular security audits to identify and address vulnerabilities.
