Bypassing SEGs By Abusing Open Redirects on Legitimate Websites: A Real-World Example

Discover how real-world attackers use open redirects to access sensitive data, bypassing traditional secure email gateways.
April 6, 2023

Everyday cyberattacks are becoming more sophisticated, bypassing traditional security methods including secure email gateways (SEGs). There are a number of different tactics threat actors employ to slip past SEGs unnoticed. Throughout a series of recent articles, we have explored a handful of these tactics—multi-step phishing, OAuth phishing, and payment/invoice fraud—by illustrating real-world examples stopped by the Abnormal solution.

Today’s installment in the series will examine how attackers abuse open redirects on legitimate websites. Open redirect vulnerabilities occur when an application allows attackers to pass information that directs users to another website. The new website could be a malicious page controlled by attackers that's used to distribute malware, drive ad fraud, or obtain login credentials that can be used to access sensitive data.

Throughout this article, we will examine the elements of a real-world open redirect attack and how Abnormal prevented it.

What is an Open Redirect?

As part of its operation, a web app can tell your browser to automatically navigate to another site. This is a basic redirect that can occur for a number of reasons, including when sites change their endpoint location or deprecate old content and redirect you to a new page, or simply redirecting from an HTTP version of a site to its encrypted HTTPS. An open redirect occurs when the URL redirect is manipulated from outside of the application and sends the user to an arbitrary location—one controlled by threat actors.

Let’s take a look at a real-world example that Abnormal recently detected.

How Attackers Abuse Open Redirects

Over the past several weeks, Abnormal has seen a large uptick in the volume of email messages whose phishing payloads are being obfuscated by the abuse of redirects on legitimate websites, such as YouTube, KoreanAir, and even Walmart. An abused redirect means that a URL will first point to something like[page_that_doesn’t_exist] and then factor in a redirect in the event a page load fails, as seen below.

Here the highlighted portion of the URL is the redirect that kicks off a phishing workflow:

Open Red0

These messages largely originate from email accounts that have been compromised by threat actors. Further, some of these messages are abusing hijacked email threads from unrelated organizations and adding new content to them to evade normal signature/definition checks so that the message appears largely legitimate. The added content is a combination of text-less whitespace and an image file that links to the legitimate website for redirect abuse.

Below is the first part of the initial email message, showing that the content of the email is shared as a png file. Thereafter, you will see the empty whitespace, followed by the original email thread that was hijacked from a compromised account external to the targeted victim in this message.

Open Red1
Open Red2

The URL itself points to newsbreakmail[.]com and initiates a redirect upon click:

Open Red3

The content after the redirect is encoded in Base64—a means of encoding data between binary and human-readable text—to hide the true destination which will result from clicking the link. Decoding it shows the following obfuscated URL:

Open Red4

This redirects to a Russian website which then verifies the connecting client’s “connection is secure” via Cloudflare’s services, but the redirect is actually being abused for sandbox evasion and connecting client profiling:

Open Red55

Once that verification is completed, the victim will see a proxied version of their real login page presented to them, which takes a second or two to build if they are watching the page live (redacted version below):

Open Red66

Because the attacker is proxying a connection to the real login page, the attacker will capture entered credentials from the user and session cookies that are returned back from a real Microsoft authentication event.

Another fascinating example is abusing a legitimate Microsoft process to validate connectors:

Open Red77

Here, we can see that the original sender of the message is a Microsoft 365 connection validator from an M365 tenant whose name is often seen being leveraged by threat actors (NetOrg[number]). The body of this message contains an image file that, if clicked, will route the user to, followed by a series of redirects that lead to this destination:

Open Red8

Microsoft’s authentication results show that this message passed SPF and DMARC, without a DKIM signature:


spf=pass (sender IP is; dkim=none (message not signed) header.d=none;dmarc=bestguesspass action=none;compauth=pass reason=109

These email lures leverage different iterations of the same threat delivery technique on different abused website redirects. Among the top legitimate services we’ve seen abused in these attacks are several well-known names, including:










Here are a few examples of malicious redirects using these sites:

Open Red99

How Abnormal Protects You from Abused Open Redirects

Traditional SEGs often miss advanced attacks like abused open redirects, but you can count on protection from Abnormal. By scrutinizing email behavior and context, Abnormal detects anomalies signaling zero-day threats, offering proactive defense even without known indicators of compromise. An output of this analysis can be seen below:

Open Red10

There are many unique data signals that are used to render these high-level summaries. These are triggered by factors such as unusual senders, suspicious link content, unusual financial requests, and more. Ultimately, Abnormal Security’s unique approach to threat detection, which leverages an ensemble of behavioral data science and content analysis, allows it to mitigate the risk of sophisticated campaigns.

Interested in learning more about how Abnormal can protect you from advanced attacks?

Schedule a Demo
Bypassing SEGs By Abusing Open Redirects on Legitimate Websites: A Real-World Example

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B 07 22 24 MKT624 Images for Paris Olympics Blog
Threat actors are targeting French businesses ahead of the Paris 2024 Olympics. Learn how they're capitalizing on the event and how to protect your organization.
Read More
B Cross Platform ATO
Cross-platform account takeover is an attack where one compromised account is used to access other accounts. Learn about four real-world examples: compromised email passwords, hijacked GitHub accounts, stolen AWS credentials, and leaked Slack logins.
Read More
B Why MFA Alone Will No Longer Suffice
Explore why account takeover attacks pose a major threat to enterprises and why multi-factor authentication (MFA) alone isn't enough to prevent them.
Read More
Learn how Abnormal uses natural language processing or NLP to protect organizations from phishing, account takeovers, and more.
Read More
B DK Compromise 7 11 24
Discover the top five ways hackers compromise accounts, from exploiting leaked API credentials to SIM swapping partnerships, and more. Learn how these techniques enable account takeover (ATO) and pose risks to enterprises.
Read More
B Sans Recap 7 11 24
Discover trends among modern SOC teams, including misaligned budgets, increased automation, unsatisfactory AI tools, staffing issues, and more.
Read More