When SEGs Fail: How Attackers Exploit Open Redirects to Bypass Legacy Email Security

Open redirects have become a favorite tool for attackers looking to bypass email security measures. By exploiting weakly constructed scripts hosted on trusted websites, attackers redirect recipients from initially safe websites to malicious ones.

This strategy leverages the reputation of trusted domains to:

• Evade being flagged as malicious by email security tools.

• Bypass compensating URL rewriting and sandboxing controls.

• Lower suspicion among end-users, increasing the likelihood of a successful attack.

Here, we’ll explore how attackers abuse open redirects, review a real-world example, and explain why traditional email security fails to protect against these threats.

Open redirects occur when a trusted website contains a script or URL parameter that attackers manipulate to redirect users to their destinations. Instead of reaching the trusted site, users are often forwarded to a malicious one without realizing it.

How Open Redirects Work

Consider the following URL from a real attack Abnormal Security observed:

At first glance, the URL appears legitimate because it starts with a trusted domain. Upon further inspection, however, Abnormal detected:

1. Open Redirect Abuse: The click.php script allows the attacker to redirect users to another site.

2. Intermediate Step: Users are sent to a CAPTCHA page (captcha.com) to build trust.

3. Final Redirect: Completing the CAPTCHA sends users to a spoofed Microsoft login page, designed to steal credentials.

In this real-world example, attackers combined open redirects with multiple tactics to create a sophisticated phishing campaign:

1. Email From a Compromised Vendor Account:

• The email originated from a trusted account that passed all authentication checks (SPF, DKIM, DMARC).

• It impersonated DocuSign branding to establish trust.

2. Malicious URL with Open Redirect:

• The email contained an open redirect hosted on a trusted website.

• This redirected users to a second site hosting a CAPTCHA.

3. CAPTCHA Page:

• CAPTCHAs add legitimacy, tricking users into believing the interaction is secure.

• CAPTCHAs can prevent automated systems from progressing past the page. This causes sandbox tools to be unable to analyze the full redirect chain or reach the final malicious destination.

4. Final Redirect to Phishing Page:

• Completing the CAPTCHA sent users to a spoofed Microsoft login page, designed to harvest credentials.

This attack succeeded by exploiting trusted domains and using advanced tactics to evade detection:

• Legitimate Accounts and Authentication:

  • The email passed authentication protocols (SPF, DKIM, DMARC) and appeared to come from a known vendor.

• Open Redirects on Trusted Sites:

  • These exploited the reputation of legitimate domains to bypass URL rewriting and sandboxing solutions.

• CAPTCHA Hosting:

  • CAPTCHAs added credibility and blocked automated detection tools.

• Phishing Toolkit Efficiency:

  • Attackers rapidly deployed the spoofed Microsoft login page using readily available phishing kits.

Legacy email security solutions struggle to detect attacks leveraging open redirects due to:

• Static Defenses:

  • Traditional solutions rely on predefined rules and domain reputation checks, which fail against dynamic multi-step redirects.

• Limited Visibility into Redirect Chains:

  • URL rewriting tools analyze only the initial or intermediate links, missing the malicious final destination.

• Overreliance on Trust:

  • Emails from authenticated or trusted domains often bypass traditional defenses.

• Bot Evasion Techniques:

  • CAPTCHAs often block automated analysis, creating blind spots in traditional sandboxing tools.

By failing to adapt to evolving threats, these solutions leave organizations vulnerable to sophisticated phishing campaigns.

Abnormal Security’s AI-powered platform is uniquely designed to detect and prevent attacks like these:

• Detection of Redirect Chains:

  • Abnormal dynamically analyzes multi-step redirects, flagging suspicious chains even when they originate from trusted domains.

• Behavioral and Contextual Analysis:

  • By analyzing thousands of identity signals, Abnormal identifies anomalies like unusual sender behavior or requests inconsistent with user roles.

• End-to-End Attack Visibility:

  • Abnormal provides full visibility into the attack chain, from the initial email to the final phishing page, empowering security teams with actionable insights.

With Abnormal, you gain real-time protection that adapts to evolving attacker tactics, eliminating blind spots and reducing operational overhead.

As attackers continue to refine their methods, traditional email security solutions fall short in detecting advanced threats like open redirects. Relying on static defenses and trust-based assumptions creates significant risks for organizations.

Abnormal Security’s AI-native platform offers the advanced protection you need, analyzing intent and behavior to stop threats before they reach your users.

Interested in learning more about how Abnormal can protect your organization? Schedule a demo today!