Connect with us

Hi, what are you looking for?

Cyber Security

Microsoft 365 phishing attacks abuse Snapchat, Amex open redirects

Attackers abused open redirects on the websites of Snapchat and American Express in a series of phishing attacks to steal Microsoft 365 credentials.

Open redirects are web app weaknesses that allow threat actors to use the domains of trusted organizations and websites as temporary landing pages to simplify phishing attacks.

They’re used in attacks to redirect targets to malicious sites that will either infect them with malware or trick them into handing over sensitive information (e.g., credentials, financial info, personal info).

“Since the first domain name in the manipulated link is in fact the original site’s, the link may appear safe to the casual observer,” email security firm Inky, which observed the attacks, explained.

“The trusted domain (e.g., American Express, Snapchat) acts as a temporary landing page before the surfer is redirected to a malicious site.”

Sample open redirect phishing
Phishing email impersonating Microsoft (Inky)

​Abused to target thousands of potential victims

According to Inky researchers, the Snapchat open redirect was used in 6,812 phishing emails sent from Google Workspace and Microsoft 365 hijacked over two and a half months.

These emails impersonated Microsoft, DocuSign, and FedEx and redirected the recipients to landing pages designed to harvest Microsoft credentials.

While the Snapchat vulnerability was reported to the company through the Open Bug Bounty platform one year ago, on August 4, 2021, the open redirect is yet to be patched.

On the other hand, the American Express open redirect was quickly patched after being exploited for a couple of days during late July. New attempts to abuse it now land on an American Express error page.0

American Express open redirect error page
American Express open redirect error page (Inky)

​Before being addressed, the Amex open redirect was used in 2,029 phishing emails using Microsoft Office 365 baits, sent from recently registered domains and designed to funnel potential victims to Microsoft credential harvesting sites.

“In both the Snapchat and the American Express exploits, the black hats inserted personally identifiable information (PII) into the URL so that the malicious landing pages could be customized on the fly for the individual victims,” Inky explained.

“And in both, this insertion was disguised by converting it to Base 64 to make it look like a bunch of random characters.”

To defend against such attacks, Inky advised email recipients to check for “url=,” “redirect=,” “external-link,” or “proxy” strings or multiple occurrences of “HTTP” in URLs embedded in emails likely showing an indication of redirection.

Website owners are also recommended to implement external redirection disclaimers that request users to click before being redirected to external sites.

Source: https://www.bleepingcomputer.com/news/security/microsoft-365-phishing-attacks-abuse-snapchat-amex-open-redirects/

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The Cyber Safety Review Board will assess how a hacking group reportedly linked to China leveraged a vulnerability in Microsoft Exchange Online to access...

Cyber Security

Security researchers observed a new campaign they attribute to the Charming Kitten APT group where hackers used new NokNok malware that targets macOS systems. The...

Cyber Security

A new phishing campaign is exploiting the increasing interest of security community members towards Flipper Zero to steal their personal information and cryptocurrency. Flipper...

Cyber Security

New phishing attacks use a Windows zero-day vulnerability to drop the Qbot malware without displaying Mark of the Web security warnings. When files are...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO