Bypassing SEGs By Abusing Open Redirects on Legitimate Websites: A Real-World Example

Everyday cyberattacks are becoming more sophisticated, bypassing traditional security methods including secure email gateways (SEGs). There are a number of different tactics threat actors employ to slip past SEGs unnoticed. Throughout a series of recent articles, we have explored a handful of these tactics—multi-step phishing, OAuth phishing, and payment/invoice fraud—by illustrating real-world examples stopped by the Abnormal solution.

Today’s installment in the series will examine how attackers abuse open redirects on legitimate websites. Open redirect vulnerabilities occur when an application allows attackers to pass information that directs users to another website. The new website could be a malicious page controlled by attackers that's used to distribute malware, drive ad fraud, or obtain login credentials that can be used to access sensitive data.

Throughout this article, we will examine the elements of a real-world open redirect attack and how Abnormal prevented it.

As part of its operation, a web app can tell your browser to automatically navigate to another site. This is a basic redirect that can occur for a number of reasons, including when sites change their endpoint location or deprecate old content and redirect you to a new page, or simply redirecting from an HTTP version of a site to its encrypted HTTPS. An open redirect occurs when the URL redirect is manipulated from outside of the application and sends the user to an arbitrary location—one controlled by threat actors.

Let’s take a look at a real-world example that Abnormal recently detected.

Over the past several weeks, Abnormal has seen a large uptick in the volume of email messages whose phishing payloads are being obfuscated by the abuse of redirects on legitimate websites, such as YouTube, KoreanAir, and even Walmart. An abused redirect means that a URL will first point to something like youtube.com/[page_that_doesn’t_exist] and then factor in a redirect in the event a page load fails, as seen below.

Here the highlighted portion of the URL is the redirect that kicks off a phishing workflow:

These messages largely originate from email accounts that have been compromised by threat actors. Further, some of these messages are abusing hijacked email threads from unrelated organizations and adding new content to them to evade normal signature/definition checks so that the message appears largely legitimate. The added content is a combination of text-less whitespace and an image file that links to the legitimate website for redirect abuse.

Below is the first part of the initial email message, showing that the content of the email is shared as a png file. Thereafter, you will see the empty whitespace, followed by the original email thread that was hijacked from a compromised account external to the targeted victim in this message.

The URL itself points to newsbreakmail[.]com and initiates a redirect upon click:

The content after the redirect is encoded in Base64—a means of encoding data between binary and human-readable text—to hide the true destination which will result from clicking the link. Decoding it shows the following obfuscated URL:

This redirects to a Russian website which then verifies the connecting client’s “connection is secure” via Cloudflare’s services, but the redirect is actually being abused for sandbox evasion and connecting client profiling:

Once that verification is completed, the victim will see a proxied version of their real login page presented to them, which takes a second or two to build if they are watching the page live (redacted version below):

Because the attacker is proxying a connection to the real login page, the attacker will capture entered credentials from the user and session cookies that are returned back from a real Microsoft authentication event.

Another fascinating example is abusing a legitimate Microsoft process to validate connectors:

Here, we can see that the original sender of the message is a Microsoft 365 connection validator from an M365 tenant whose name is often seen being leveraged by threat actors (NetOrg[number]). The body of this message contains an image file that, if clicked, will route the user to Chipotle.app.link, followed by a series of redirects that lead to this destination:

Microsoft’s authentication results show that this message passed SPF and DMARC, without a DKIM signature:

Authentication-results:

spf=pass (sender IP is 52.101.48.26) smtp.mailfrom=NETORGFT6910139.onmicrosoft.com; dkim=none (message not signed) header.d=none;dmarc=bestguesspass action=none header.from=NETORGFT6910139.onmicrosoft.com;compauth=pass reason=109

These email lures leverage different iterations of the same threat delivery technique on different abused website redirects. Among the top legitimate services we’ve seen abused in these attacks are several well-known names, including:

Shareasale[.]com

Onelink[.]me

Link.potterybarn[.]com

Portal.criticalimpact[.]com

mydealersocket[.]com

Soccer.sincsports[.]com

Ums.koreanair[.]com

Api.sparknotifications.walmart[.]com

T.ac.orbitz[.]com

L.document.cigna[.]com

Youtube[.]com

Chipotle.app[.]link

Here are a few examples of malicious redirects using these sites:

Traditional SEGs often miss advanced attacks like abused open redirects, but you can count on protection from Abnormal. By scrutinizing email behavior and context, Abnormal detects anomalies signaling zero-day threats, offering proactive defense even without known indicators of compromise. An output of this analysis can be seen below:

There are many unique data signals that are used to render these high-level summaries. These are triggered by factors such as unusual senders, suspicious link content, unusual financial requests, and more. Ultimately, Abnormal Security’s unique approach to threat detection, which leverages an ensemble of behavioral data science and content analysis, allows it to mitigate the risk of sophisticated campaigns.

Interested in learning more about how Abnormal can protect you from advanced attacks?