Cybercriminals are running advanced phishing attacks on Microsoft 365 users using fake URLs that closely resemble real O365 domains, tricking victims into trusting them.
All about the attack
The attackers use social engineering tactics, claiming the password is about to expire, to pressure users into clicking harmful links.
Once clicked, users are sent to fake login pages that steal their O365 credentials, giving attackers access to sensitive data and disrupting business operations.
The phishing emails use the recipient’s name and a fake security identifier in the subject line, making it seem urgent and legitimate.
The email contains a malicious button saying “Keep [USER EMAIL] Access Active,” which redirects users to a fake website to steal their login credentials.
Attackers use social engineering to trick users into clicking malicious links, disguising URLs with legitimate prefixes like “youtube.com” followed by obfuscation or the “@” symbol to redirect to harmful sites. Cyderes warns that this deception puts users’ security at risk.
The malicious activity observed in these phishing attacks shows clear signs of URL obfuscation techniques used to mislead users. One common method is the use of “%20,” which is the HTML code for spaces, making it harder for users to visually detect suspicious URLs.
Additionally, attackers often insert the “@” symbol in their URLs. This segmenting technique tricks browsers into interpreting the part before the “@” symbol as the user’s credentials, and it redirects users to the domain following the “@” symbol, which is typically the attacker-controlled malicious site.
Furthermore, these URLs point to domains that use redirectors to mask their true destination. The domains themselves are often linked to well-known phishing frameworks, such as Tycoon 2FA, Mamba 2FA, and EvilProxy kits, which have been used in prior cybercriminal campaigns.
These phishing kits are designed to exploit legitimate-looking domains to steal login credentials, allowing attackers unauthorized access to sensitive data.
Phishing URLs like “youtube.com%20%20%20%20@testing123.net” deceive users into thinking they lead to YouTube, but redirect to malicious sites like “testing123.net.”
These emails often include IOCs, such as suspicious domains (e.g., “globaltouchmassage.net”) and urgent subject lines like “ACTION Required – [Client] Server SecurityID:[random string].”
To mitigate this type of phishing attack :
- Educate Users: Regularly train employees on identifying phishing attempts, especially those using obfuscated URLs and social engineering tactics.
- Use Email Filtering: Implement advanced email security filters to detect and block suspicious emails, particularly those containing obfuscated or deceptive URLs.
- Enable Multi-Factor Authentication (MFA): Even if login credentials are compromised, MFA can prevent unauthorized access to accounts.
- URL Inspection: Use tools that inspect URLs in real-time, checking for obfuscation and redirect patterns.
- URL Blocking: Block known malicious domains and IP addresses at the network level to prevent access to dangerous sites.
- Check URLs: Encourage users to manually check URLs by hovering over links to view the true destination before clicking.
- Update Software: Ensure all software, including email clients and browsers, is regularly updated to protect against security vulnerabilities.
IOC (Indicators of Compromise)
• Example Phishing URL:
https://youtube.com%20%20%20%20%20%20%20%20%20%20%20@globaltouchmassage[.]net/ssy/cmd
• Common Subject Lines:
“ACTION Required – [Client] Server SecurityID:[random string]”
Leave A Comment