Diving into a new sophisticated campaign, exploiting Microsoft’s Open Redirect vulnerability through quishing
By Elad Damari, Incident Response Group Manager, Perception Point
QR codes can be found almost everywhere, helping people access useful information and other webpages as fast as they can open their smartphone cameras.
Many of us don’t think twice before scanning them. But to cybercriminals, their pervasiveness presents a new opportunity; the chance to deploy a sophisticated phishing strain designed to make us let our guard down while malware is uploaded or sensitive information stolen. After all, no one can verify a QR code is safe just by looking at it.
Dubbed as quishing, this subclass of email-bound phishing has taken off in the past year. In the span of just one month – from August to September – the number of quishing attacks skyrocketed by 427%.
But this alarming rise is only half the problem – the approaches used to execute the attacks are growing wildly complex, incorporating advanced techniques to bypass email security solutions and utilizing increasingly clever social engineering tactics to deceive unsuspecting victims.
One such exploit was identified by Perception Point’s team of analysts. They uncovered a phishing campaign that took advantage of an open redirect vulnerability within one of Microsoft’s suite of services, potentially compromising client data.
Point of Entry
Open redirect vulnerabilities arise when a web application or server is configured in a way that allows attackers to redirect a user to an external, untrusted URL via a trusted domain.
In the case of the team’s latest discovery, attackers exploited such vulnerabilities within Azure Functions – a Microsoft cloud computing platform for app developers – using parameters in URL queries that were either unvalidated or improperly sanitized. This oversight enabled malicious actors to craft URLs that appeared to belong to Microsoft but instead would redirect users to spoofed login sites via fraudulent QR codes.
Attack Breakdown
How did this attack work?
It began with a user receiving an urgently worded email from what appeared to be Microsoft Support. Using a seemingly legitimate domain, the email easily passed the sender policy framework (SPF) checks – the email authentication standard domain owners use to verify email servers, which makes it hard for threat actors to push through fake sender information undetected.
The email contained a PDF attachment with the subject line: “Please fix your credentials.” The PDF prompted users to update their account password and email credentials by clicking on the embedded link. This redirected users to a malicious QR code with Microsoft’s logo on it, which was hosted on a legitimate server on the popular image hosting site, Flickr.
Reassured by the familiar logo, users were prompted to scan the code with their phone camera. Pairing familiar, well-established logos with malevolent QR codes is a psychological tactic that encourages people to use their less secure mobile devices, as opposed to more secure computers. In addition, when using their phones, users are less inclined to scrutinize URLs and adhere to general security recommendations.
Scanning the QR code led to a series of URLs, exploiting an open redirection vulnerability in Azure Functions, creating a convincing chain of redirections that culminated in a spoofed Microsoft 365 login page.
After inserting their email address on the spoofed login page, users were redirected again; this time to the legitimate login.live.com – Microsoft’s real login page. The threat actor then set a session cookie on the user’s device during the redirection process, allowing visibility into victims’ credentials and, in turn, easily accessing their accounts.
Microsoft quickly mitigated the issue soon after the incident response team shared their findings with Microsoft’s security team.
Gone Phishing
This sophisticated quishing campaign exploiting Microsoft’s open redirect vulnerabilities is a testament to the ever-evolving, increasingly sophisticated nature of phishing attacks.
Organizations must stay vigilant – regularly updating security protocols and educating teams to better recognize the nascent ways cybercriminals exploit and circumvent the latest cybersecurity frameworks.
To paraphrase the old adage, there’s always a bigger phish to phry.
About the Author
Elad Damari is a Cyber Expert and Incident Response Team Leader at Perception Point. There, he leads the team in identifying and reducing cyber risk for enterprises globally. Elad can be reached online through his LinkedIn (https://www.linkedin.com/in/elad-damari) and at our company website https://perception-point.io