Cybersecurity researchers have uncovered a sophisticated phishing campaign leveraging a multi-layer redirect technique to compromise Microsoft 365 login credentials. The attack stands out for its creative misuse of trusted redirection and link wrapping services, making detection and prevention significantly more challenging.
How the Attack Works
The campaign initiates by exploiting link wrapping solutions commonly used by enterprise email security platforms, such as Proofpoint and Intermedia. These services typically scan and rewrite outbound links to protect users against known threats. However, attackers have found a way to exploit this process when their malicious links have not yet been flagged by security databases.
The attackers begin by hiding their malicious destination behind popular URL shortening services (like Bitly). These shortened URLs are then distributed via emails originating from Proofpoint-secured accounts. As part of standard procedure, Proofpoint’s system automatically rewrites the Bitly link for further inspection, adding another layer of redirection. As a result, the final hyperlink embedded within the phishing email appears to originate from a well-known, trusted security gateway, such as urldefense.proofpoint.com. This series of redirects—moving from recognizable security brands through Bitly, and finally to a fake login page—effectively conceals the phishing site’s true origins.
Tactics and Lures
The phishing emails commonly masquerade as notifications from trusted cloud services—such as voicemails or Microsoft Teams alerts—designed to prompt urgency and exploit routine user behavior. When targets click these links, they are funneled through the layered redirects and ultimately land on a convincing counterfeit Microsoft 365 login page crafted to capture their credentials.
Notably, attackers have also weaponized SVG image files embedded within emails. SVG (Scalable Vector Graphics) files have the capability to include scripts and hyperlinks, and their use helps attackers evade some traditional email content controls. Once an SVG is engaged, it can deploy a multi-stage attack that leverages the aforementioned redirect tactics.
Variants of this campaign imitate other platforms, including Zoom, sending fake meeting notifications to lure victims into re-entering their login credentials. The stolen information, along with device details such as IP address and geographic data, is often exfiltrated via encrypted messaging platforms like Telegram, adding another layer of operational security for the attackers.
