Attackers used Open Redirects vulnerabilities on Snapchat and American Express in a series of phishing attacks to steal Microsoft 365 credentials.
Open Redirects are web application vulnerabilities that allow a hacker to use domains of trusted organizations and websites as temporary landing pages to facilitate phishing attacks. Open Redirects errors are used in attacks that redirect victims to malicious sites that either infect with malware or trick the victim into handing over sensitive information (credentials, payment and personal information, etc.).
“A trusted domain (eg American Express, Snapchat) acts as a temporary landing page before the user is redirected to a malicious site,” Inky explained in a published report.
Phishing emails impersonating Microsoft and FedEx
According to Inky researchers, open Snapchat redirects were used in 6,812 phishing emails sent from Google Workspace and Microsoft 365 hacked over 2.5 months. These emails impersonated Microsoft, DocuSign, and FedEx and redirected recipients to landing pages designed to collect Microsoft credentials.
Microsoft phishing page for data collection
Although the Snapchat vulnerability was reported by researcher ayushsinha31 via the Open Bug Bounty platform back on August 4, 2021, the Open Redirect bug is still unpatched.
In addition, the American Express redirect bug was fixed after it was exploited by attackers for several days at the end of July. American Express open redirect used in 2029 phishing emails using Microsoft Office 365 honeypots sent from newly registered domains to redirect potential victims to Microsoft credential harvesting sites.
“In the Snapchat and American Express exploits, the attackers inserted personal information into the URL so that malicious landing pages could be configured on the fly for individual victims. In both cases, this insertion was masked by converting it to Base 64 to make it look like a bunch of random characters,” explained Inky.
To protect against such attacks, experts have advised email recipients to check for “url=”, “redirect=”, “external-link”, “proxy”, or multiple occurrences of “HTTP” in URLs embedded in emails. Website owners are also encouraged to implement external redirect disclaimers that ask users to click before being redirected to external sites.