In a series of phishing efforts to obtain Microsoft 365 login information, attackers took advantage of open redirection on the American Express and Snapchat websites.
Open redirects are flaws in web apps that let threat actors utilize reputable companies’ and websites’ domains as temporary landing pages to streamline phishing attempts.
Attackers use them to divert targets to malicious websites where they will either download malware or fool them into providing sensitive information (e.g., credentials, financial info, personal info).
According to email security firm Inky, which tracked the attacks, “the link may appear safe to the casual observer since the first domain name in the modified link is actually the original site’s.”
Before the user is forcibly transferred to a malicious website, the trusted domain (such as American Express or Snapchat) serves as a temporary landing page.
Thousands of potential victims were abused
Researchers from Inky claim that over the course of two and a half months, 6,812 phishing emails sent from Google Workspace and Microsoft 365 were hijacked and used the Snapchat open redirect.
These emails, which pretended to be from FedEx, DocuSign, and Microsoft, instead sent users to landing pages intended to collect Microsoft login information.
The open redirect has not yet been patched, despite the fact that the Snapchat vulnerability was reported to the company one year ago on August 4 through the Open Bug Bounty network.
The American Express open redirect, on the other hand, was promptly corrected after being used for a few days in late July. It now redirects new abuse attempts to an American Express error page.
Before being fixed, 2,029 phishing emails utilizing Microsoft Office 365 baits that were sent from recently registered domains and intended to send potential victims to Microsoft credential harvesting sites exploited the Amex open redirect.
According to Inky, “the black hats incorporated personally identifiable information (PII) into the URL in both the Snapchat and the American Express exploits so that the malicious landing sites could be instantly modified for the specific victims.”
And in both cases, this insertion was covered up by being converted to Base 64 so that it appeared to be a collection of random characters.
Inky advised email recipients to look for “url=,” “redirect=,” “external-link,” or “proxy” characters or repeated instances of “HTTP” in URLs included in emails perhaps providing an indication of redirection in order to protect themselves from such attacks.
Additionally, it is advised for website owners to utilize external redirection disclaimers, which ask visitors to click before being forwarded to other websites.