Cybersecurity researchers at Unit 42, a division of Palo Alto Networks, have uncovered a new and sophisticated phishing technique that exploits the refresh entry in HTTP response headers to deliver malicious webpages.
From May to July 2024, the team detected approximately 2,000 malicious URLs per day associated with these campaigns.
Unlike traditional phishing attacks that rely on malicious content within the HTML body, these campaigns leverage the response header sent by the server before processing the HTML content.
By including a refresh entry in the HTTP response header, attackers can automatically redirect victims to a phishing page without requiring any user interaction.
The malicious links, often distributed via email, contain the targeted user’s email address embedded within the refresh field of the HTTP response header. This tactic allows attackers to dynamically generate personalized content, increasing the credibility and success rate of the phishing attempt.
Decoding Compliance: What CISOs Need to Know – Join Free Webinar
To evade detection, attackers host the original and landing URLs on legitimate or compromised domains, making identifying malicious indicators within the URL string difficult. They also employ URL shortening, tracking, and campaign marketing services to further obscure their malicious intent.
“By carefully mimicking legitimate domains and redirecting victims to official sites, attackers can effectively mask their true objectives and increase the likelihood of successful credential theft.
These tactics highlight the sophisticated strategies attackers use to avoid detection and exploit unsuspecting targets,” researchers added.
Example of a Phishing URL Chain:
- Original URL:
hxxp://impactchd[.]in/content/bing/ghjkj/1kdeyl61ahaub/[Base64 string for recipient's email address] - Final URL:
hxxps://hk6.8ik8rq[.]ru/hk6/#[recipient's email address]
Unit 42 researchers observed that these phishing campaigns predominantly targeted large corporations in Korea, government agencies, and schools in the U.S. The most affected industries include:
- Business and Economy (36.2%)
- Financial Services (12.9%)
- Government (6.9%)
- Health and Medicine (5.7%)
- Computer and Internet (5.4%)
Attackers frequently imitated Microsoft Outlook webmail login pages, as many companies use Microsoft’s email services. The phishing pages were pre-filled with the victim’s email address and designed to capture their password.
To protect against these sophisticated phishing attacks, Palo Alto Networks recommends:
- Deploying Advanced URL Filtering (AURL) to identify phishing URLs and extract patterns from suspicious URLs
- Educating users about the risks of clicking on links in emails, especially those requesting login credentials
- Implementing multi-factor authentication to prevent unauthorized access even if credentials are compromised
As of August 2024, no literature specifically addresses attacks using refresh entries in HTTP response headers. This article serves to document the frequent use of this technique in phishing attacks and raise awareness about this emerging threat.
Simulating Cyberattack Scenarios With All-in-One Cybersecurity Platform – Watch Free Webinar