chat
expand_more

Bypassing SEGs By Abusing Open Redirects on Legitimate Websites: A Real-World Example

Discover how real-world attackers use open redirects to access sensitive data, bypassing traditional secure email gateways.
April 6, 2023

Everyday cyberattacks are becoming more sophisticated, bypassing traditional security methods including secure email gateways (SEGs). There are a number of different tactics threat actors employ to slip past SEGs unnoticed. Throughout a series of recent articles, we have explored a handful of these tactics—multi-step phishing, OAuth phishing, and payment/invoice fraud—by illustrating real-world examples stopped by the Abnormal solution.

Today’s installment in the series will examine how attackers abuse open redirects on legitimate websites. Open redirect vulnerabilities occur when an application allows attackers to pass information that directs users to another website. The new website could be a malicious page controlled by attackers that's used to distribute malware, drive ad fraud, or obtain login credentials that can be used to access sensitive data.

Throughout this article, we will examine the elements of a real-world open redirect attack and how Abnormal prevented it.

What is an Open Redirect?

As part of its operation, a web app can tell your browser to automatically navigate to another site. This is a basic redirect that can occur for a number of reasons, including when sites change their endpoint location or deprecate old content and redirect you to a new page, or simply redirecting from an HTTP version of a site to its encrypted HTTPS. An open redirect occurs when the URL redirect is manipulated from outside of the application and sends the user to an arbitrary location—one controlled by threat actors.

Let’s take a look at a real-world example that Abnormal recently detected.

How Attackers Abuse Open Redirects

Over the past several weeks, Abnormal has seen a large uptick in the volume of email messages whose phishing payloads are being obfuscated by the abuse of redirects on legitimate websites, such as YouTube, KoreanAir, and even Walmart. An abused redirect means that a URL will first point to something like youtube.com/[page_that_doesn’t_exist] and then factor in a redirect in the event a page load fails, as seen below.

Here the highlighted portion of the URL is the redirect that kicks off a phishing workflow:

Open Red0

These messages largely originate from email accounts that have been compromised by threat actors. Further, some of these messages are abusing hijacked email threads from unrelated organizations and adding new content to them to evade normal signature/definition checks so that the message appears largely legitimate. The added content is a combination of text-less whitespace and an image file that links to the legitimate website for redirect abuse.

Below is the first part of the initial email message, showing that the content of the email is shared as a png file. Thereafter, you will see the empty whitespace, followed by the original email thread that was hijacked from a compromised account external to the targeted victim in this message.

Open Red1
Open Red2

The URL itself points to newsbreakmail[.]com and initiates a redirect upon click:

Open Red3

The content after the redirect is encoded in Base64—a means of encoding data between binary and human-readable text—to hide the true destination which will result from clicking the link. Decoding it shows the following obfuscated URL:

Open Red4

This redirects to a Russian website which then verifies the connecting client’s “connection is secure” via Cloudflare’s services, but the redirect is actually being abused for sandbox evasion and connecting client profiling:

Open Red55

Once that verification is completed, the victim will see a proxied version of their real login page presented to them, which takes a second or two to build if they are watching the page live (redacted version below):

Open Red66

Because the attacker is proxying a connection to the real login page, the attacker will capture entered credentials from the user and session cookies that are returned back from a real Microsoft authentication event.

Another fascinating example is abusing a legitimate Microsoft process to validate connectors:

Open Red77

Here, we can see that the original sender of the message is a Microsoft 365 connection validator from an M365 tenant whose name is often seen being leveraged by threat actors (NetOrg[number]). The body of this message contains an image file that, if clicked, will route the user to Chipotle.app.link, followed by a series of redirects that lead to this destination:

Open Red8

Microsoft’s authentication results show that this message passed SPF and DMARC, without a DKIM signature:

Authentication-results:

spf=pass (sender IP is 52.101.48.26) smtp.mailfrom=NETORGFT6910139.onmicrosoft.com; dkim=none (message not signed) header.d=none;dmarc=bestguesspass action=none header.from=NETORGFT6910139.onmicrosoft.com;compauth=pass reason=109

These email lures leverage different iterations of the same threat delivery technique on different abused website redirects. Among the top legitimate services we’ve seen abused in these attacks are several well-known names, including:

Shareasale[.]com

Onelink[.]me

Link.potterybarn[.]com

Portal.criticalimpact[.]com

mydealersocket[.]com

Soccer.sincsports[.]com

Ums.koreanair[.]com

Api.sparknotifications.walmart[.]com

T.ac.orbitz[.]com

L.document.cigna[.]com

Youtube[.]com

Chipotle.app[.]link

Here are a few examples of malicious redirects using these sites:

Open Red99

How Abnormal Protects You from Abused Open Redirects

Traditional SEGs often miss advanced attacks like abused open redirects, but you can count on protection from Abnormal. By scrutinizing email behavior and context, Abnormal detects anomalies signaling zero-day threats, offering proactive defense even without known indicators of compromise. An output of this analysis can be seen below:

Open Red10

There are many unique data signals that are used to render these high-level summaries. These are triggered by factors such as unusual senders, suspicious link content, unusual financial requests, and more. Ultimately, Abnormal Security’s unique approach to threat detection, which leverages an ensemble of behavioral data science and content analysis, allows it to mitigate the risk of sophisticated campaigns.

Interested in learning more about how Abnormal can protect you from advanced attacks?

Schedule a Demo
Bypassing SEGs By Abusing Open Redirects on Legitimate Websites: A Real-World Example

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B Proofpoint Customer Story Blog 8
A Fortune 500 transportation and logistics leader blocked more than 6,700 attacks missed by Proofpoint and reclaimed 350 SOC hours per month by adding Abnormal to its security stack.
Read More
B Gartner MQ 2024 Announcement Blog
Abnormal Security was named a Leader in the 2024 Gartner Magic Quadrant for Email Security Platforms and positioned furthest for Completeness of Vision.
Read More
B Gift Card Scams Tricker to Spot Blog
Learn why gift card scams are becoming more difficult to identify, how cybercriminals evolve their tactics, and strategies to protect your organization.
Read More
B Offensive AI 12 16 24
Learn how AI is used in cybersecurity, what defensive AI vs. offensive AI means, and how to use defensive AI to combat offensive AI.
Read More
B Proofpoint Customer Story Blog 7
See how Abnormal's AI helped a Fortune 500 insurance provider detect 27,847 threats missed by Proofpoint and save 6,600+ hours in employee productivity.
Read More
B Cyberattack Forecast Emerging Threats Blog
Uncover the latest email threats and strategies to strengthen your cybersecurity and prepare for 2025.
Read More