chat
expand_more

Bypassing SEGs By Abusing Open Redirects on Legitimate Websites: A Real-World Example

Discover how real-world attackers use open redirects to access sensitive data, bypassing traditional secure email gateways.
April 6, 2023

Everyday cyberattacks are becoming more sophisticated, bypassing traditional security methods including secure email gateways (SEGs). There are a number of different tactics threat actors employ to slip past SEGs unnoticed. Throughout a series of recent articles, we have explored a handful of these tactics—multi-step phishing, OAuth phishing, and payment/invoice fraud—by illustrating real-world examples stopped by the Abnormal solution.

Today’s installment in the series will examine how attackers abuse open redirects on legitimate websites. Open redirect vulnerabilities occur when an application allows attackers to pass information that directs users to another website. The new website could be a malicious page controlled by attackers that's used to distribute malware, drive ad fraud, or obtain login credentials that can be used to access sensitive data.

Throughout this article, we will examine the elements of a real-world open redirect attack and how Abnormal prevented it.

What is an Open Redirect?

As part of its operation, a web app can tell your browser to automatically navigate to another site. This is a basic redirect that can occur for a number of reasons, including when sites change their endpoint location or deprecate old content and redirect you to a new page, or simply redirecting from an HTTP version of a site to its encrypted HTTPS. An open redirect occurs when the URL redirect is manipulated from outside of the application and sends the user to an arbitrary location—one controlled by threat actors.

Let’s take a look at a real-world example that Abnormal recently detected.

How Attackers Abuse Open Redirects

Over the past several weeks, Abnormal has seen a large uptick in the volume of email messages whose phishing payloads are being obfuscated by the abuse of redirects on legitimate websites, such as YouTube, KoreanAir, and even Walmart. An abused redirect means that a URL will first point to something like youtube.com/[page_that_doesn’t_exist] and then factor in a redirect in the event a page load fails, as seen below.

Here the highlighted portion of the URL is the redirect that kicks off a phishing workflow:

Open Red0

These messages largely originate from email accounts that have been compromised by threat actors. Further, some of these messages are abusing hijacked email threads from unrelated organizations and adding new content to them to evade normal signature/definition checks so that the message appears largely legitimate. The added content is a combination of text-less whitespace and an image file that links to the legitimate website for redirect abuse.

Below is the first part of the initial email message, showing that the content of the email is shared as a png file. Thereafter, you will see the empty whitespace, followed by the original email thread that was hijacked from a compromised account external to the targeted victim in this message.

Open Red1
Open Red2

The URL itself points to newsbreakmail[.]com and initiates a redirect upon click:

Open Red3

The content after the redirect is encoded in Base64—a means of encoding data between binary and human-readable text—to hide the true destination which will result from clicking the link. Decoding it shows the following obfuscated URL:

Open Red4

This redirects to a Russian website which then verifies the connecting client’s “connection is secure” via Cloudflare’s services, but the redirect is actually being abused for sandbox evasion and connecting client profiling:

Open Red55

Once that verification is completed, the victim will see a proxied version of their real login page presented to them, which takes a second or two to build if they are watching the page live (redacted version below):

Open Red66

Because the attacker is proxying a connection to the real login page, the attacker will capture entered credentials from the user and session cookies that are returned back from a real Microsoft authentication event.

Another fascinating example is abusing a legitimate Microsoft process to validate connectors:

Open Red77

Here, we can see that the original sender of the message is a Microsoft 365 connection validator from an M365 tenant whose name is often seen being leveraged by threat actors (NetOrg[number]). The body of this message contains an image file that, if clicked, will route the user to Chipotle.app.link, followed by a series of redirects that lead to this destination:

Open Red8

Microsoft’s authentication results show that this message passed SPF and DMARC, without a DKIM signature:

Authentication-results:

spf=pass (sender IP is 52.101.48.26) smtp.mailfrom=NETORGFT6910139.onmicrosoft.com; dkim=none (message not signed) header.d=none;dmarc=bestguesspass action=none header.from=NETORGFT6910139.onmicrosoft.com;compauth=pass reason=109

These email lures leverage different iterations of the same threat delivery technique on different abused website redirects. Among the top legitimate services we’ve seen abused in these attacks are several well-known names, including:

Shareasale[.]com

Onelink[.]me

Link.potterybarn[.]com

Portal.criticalimpact[.]com

mydealersocket[.]com

Soccer.sincsports[.]com

Ums.koreanair[.]com

Api.sparknotifications.walmart[.]com

T.ac.orbitz[.]com

L.document.cigna[.]com

Youtube[.]com

Chipotle.app[.]link

Here are a few examples of malicious redirects using these sites:

Open Red99

How Abnormal Protects You from Abused Open Redirects

Traditional SEGs often miss advanced attacks like abused open redirects, but you can count on protection from Abnormal. The Abnormal solution utilizes a combination of behavioral data science (contextual profiling) and content analysis to detect the full-range of sophisticated attacks. An output of which can be seen below:

Open Red10

There are many unique data signals that are used to render these high-level summaries. These are triggered by factors such as unusual senders, suspicious link content, unusual financial requests, and more. Ultimately, Abnormal Security’s unique approach to threat detection, which leverages an ensemble of behavioral data science and content analysis, allows it to mitigate the risk of sophisticated campaigns.

Interested in learning more about how Abnormal can protect you from advanced attacks?

Schedule a Demo
Bypassing SEGs By Abusing Open Redirects on Legitimate Websites: A Real-World Example

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

 

See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

 
Integrates Insights Reporting 09 08 22

Related Posts

B Mr Wonderful Talks AI
Explore the future of AI and cybersecurity and learn why prioritizing security investments is crucial with Kevin O’Leary of Shark Tank fame.
Read More
B 1500x1500 MKT468a Open Graph Images for Phishing Subjects Blog
Discover the most engaging phishing email subjects, according to Abnormal data, and how to protect your organization from these scams.
Read More
B Threat Report BEC VEC Blog
Our H1 2024 Email Threat Report revealed significant year-over-year increases in both business email compromise and vendor email compromise. Learn more.
Read More
B 2 7 24 Product Update
Abnormal product enhancements improve detection efficacy, reporting on QR code attacks, productivity, and protection from account takeover.
Read More
B 1500x1500 Quishing Stats Blog 02 05 24
Today we released our H1 2024 Email Threat Report, which examines the threat landscape and dives into the latest evolution in phishing: QR code attacks.
Read More
B 1 30 23 Microsoft ATO
A recent nation-state actor attack by the Russian-backed threat group Midnight Blizzard infiltrated Microsoft. Discover how Abnormal can protect you from account takeovers in real time.
Read More