Back to Blog

Phishing scams use redirects to steal Office 365, Facebook credentials

October 23, 2020

By: Sikur

Researchers have recently warned of two massive phishing operations, collectively targeting hundreds of thousands of users – one seeking credentials for business services such as Office 365 and the other abusing Facebook Messenger to go after roughly 450,000 of the social media giant’s account holders.

Active since last week, with a major surge on Oct. 15, the Office 365 operation has reached tens of thousands of inboxes through multiple connected campaigns spoofing well-known applications such as Microsoft Office, Microsoft Teams and Zoom in hopes that users will be fooled into giving away their usernames and passwords. Senior executives and finance personnel have been identified as among the targets of the operation.

Discovered by researchers at GreatHorn, the scam also aims to infect victims with JavaScript designed to deploy various malware, including the Cryxos trojan.

According to F-Secure, Cryxos trojans are typically used to conduct call support scams. They display “an alarming notification message saying that the user’s computer or web browser has been ‘blocked’ due to a virus infection, and that their personal details are ‘being stolen’. The user is then directed to call a phone number for assistance in the ‘removal process.’”

Victims who click on the emails’ malicious links are either sent directly to the phishing kit, which looks like a log-in page, or they are routed there via open redirector domains and subsidiary remains that the attackers compromised from such global brands as Sony, TripAdvisor, RAC, DigitalOcean and Google.

“The user in a corporate environment will probably not be blocked from when they click, and then it’s going redirect them to the real attack, and it’s going to look like a Zoom log-in or an Office login,” said GreatHorn CEO Kevin O’Brien in an interview with SC Media.

The links can bypass native security controls offered by victims’ email providers, and the open redirects appear to be made possible via Apache servers, possibly due to a flaw in Apache versions prior to 2.4.41, GreatHorn reports in a company blog post.

GreatHorn advises security teams to search their companies’ emails for messages with URLs that match the phishing kit’s naming structure, which was identified as http://t.****/r/, where *** represents the domain.

In his company’s blog posts, O’Brien called this attack “a pervasive and significant event.”

“It looks like something timely and we saw it go out to senior executive in worldwide attack mode. And we saw these things redirecting and landing in mailboxes everywhere we looked,” O’Brien explained further to SC Media.

Meanwhile, the Facebook phishing operation, discovered by Cyberint, began last Friday with a campaign targeting nearly 500,000 victims across the globe.

Source SC Magazine

Contact us

Safety is essential to your decision making. We are sure that our team can clarify any doubts. After all, we understand security.

Follow us


Contact Us
First Name*
Last Name*
Mobile Number*
Tell us what do you need* ?
Products: Hold CTRL+Click to add more than 1.* ?
I agree to the Privacy Policy and Terms of Service.