Microsoft is warning of a widespread credential phishing campaign that leverages open redirector links in email communications as a vector to trick users into visiting malicious websites while effectively bypassing security software.

“Attackers combine these links with social engineering baits that impersonate well-known productivity tools and services to lure users into clicking,” Microsoft 365 Defender Threat Intelligence Team said in a report published this week.

“Doing so leads to a series of redirections — including a CAPTCHA verification page that adds a sense of legitimacy and attempts to evade some automated analysis systems — before taking the user to a fake sign-in page. This ultimately leads to credential compromise, which opens the user and their organization to other attacks.”

Although redirect links in email messages serve a vital tool to take recipients to third-party websites or track click rates and measure the success of sales and marketing campaigns, the same technique can be abused by adversaries to redirect such links to their own infrastructure, at the same time keeping the trusted domain in the full URL intact to evade analysis by anti-malware engines, even when users attempt to hover on links to check for any signs of suspicious content.

In order to lead potential victims to phishing sites, the redirect URLs embedded in the message are set up using a legitimate service, while the final actor-controlled domains contained in the link leverage top-level domains .xyz, .club, .shop, and .online (e.g. “c-tl[.]xyz”), but which are passed as parameters so as to sneak past email gateway solutions.

Microsoft said it observed at least 350 unique phishing domains as part of the campaign — another attempt to obscure detection — underscoring the campaign’s effective use of convincing social engineering lures that purport to be notification messages from apps like Office 365 and Zoom, a well-crafted detection evasion technique, and a durable infrastructure to carry out the attacks.

“This not only shows the scale with which this attack is being conducted, but it also demonstrates how much the attackers are investing in it, indicating potentially significant payoffs,” the researchers said.

To give the attack a veneer of authenticity, clicking the specially-crafted link redirects the users to a malicious landing page that employs Google reCAPTCHA to block any dynamic scanning attempts. Upon completion of the CAPTCHA verification, the victims are displayed a fraudulent login page mimicking a known service like Microsoft Office 365, only to swipe their passwords upon submitting the information.

“This phishing campaign exemplifies the perfect storm of [social engineering, detection evasion, and a large attack infrastructure] in its attempt to steal credentials and ultimately infiltrate a network,” the researchers noted. “And given that 91% of all cyberattacks originate with email, organizations must therefore have a security solution that will provide them multi-layered defense against these types of attacks.”