Quishing Campaign Exploits Microsoft Open Redirect Vulnerability

Diving into a new sophisticated campaign, exploiting Microsoft's Open Redirect vulnerability through quishing.
QR codes can be found almost everywhere, helping people access useful information and other webpages as fast as they can open their smartphone cameras.
No one can verify a QR code is safe just by looking at it.
In the span of just one month - from August to September - the number of quishing attacks skyrocketed by 427%. But this alarming rise is only half the problem - the approaches used to execute the attacks are growing wildly complex, incorporating advanced techniques to bypass email security solutions and utilizing increasingly clever social engineering tactics to deceive unsuspecting victims.
One such exploit was identified by Perception Point's team of analysts.
They uncovered a phishing campaign that took advantage of an open redirect vulnerability within one of Microsoft's suite of services, potentially compromising client data.
Open redirect vulnerabilities arise when a web application or server is configured in a way that allows attackers to redirect a user to an external, untrusted URL via a trusted domain.
In the case of the team's latest discovery, attackers exploited such vulnerabilities within Azure Functions - a Microsoft cloud computing platform for app developers - using parameters in URL queries that were either unvalidated or improperly sanitized.
This oversight enabled malicious actors to craft URLs that appeared to belong to Microsoft but instead would redirect users to spoofed login sites via fraudulent QR codes.
It began with a user receiving an urgently worded email from what appeared to be Microsoft Support.
Using a seemingly legitimate domain, the email easily passed the sender policy framework checks - the email authentication standard domain owners use to verify email servers, which makes it hard for threat actors to push through fake sender information undetected.
This redirected users to a malicious QR code with Microsoft's logo on it, which was hosted on a legitimate server on the popular image hosting site, Flickr.
Pairing familiar, well-established logos with malevolent QR codes is a psychological tactic that encourages people to use their less secure mobile devices, as opposed to more secure computers.
Scanning the QR code led to a series of URLs, exploiting an open redirection vulnerability in Azure Functions, creating a convincing chain of redirections that culminated in a spoofed Microsoft 365 login page.
After inserting their email address on the spoofed login page, users were redirected again; this time to the legitimate login.
Live.com - Microsoft's real login page.
The threat actor then set a session cookie on the user's device during the redirection process, allowing visibility into victims' credentials and, in turn, easily accessing their accounts.
Microsoft quickly mitigated the issue soon after the incident response team shared their findings with Microsoft's security team.
This sophisticated quishing campaign exploiting Microsoft's open redirect vulnerabilities is a testament to the ever-evolving, increasingly sophisticated nature of phishing attacks.
Organizations must stay vigilant - regularly updating security protocols and educating teams to better recognize the nascent ways cybercriminals exploit and circumvent the latest cybersecurity frameworks.


This Cyber News was published on www.cyberdefensemagazine.com. Publication date: Thu, 09 May 2024 14:43:06 +0000


Cyber News related to Quishing Campaign Exploits Microsoft Open Redirect Vulnerability

Quishing Campaign Exploits Microsoft Open Redirect Vulnerability - Diving into a new sophisticated campaign, exploiting Microsoft's Open Redirect vulnerability through quishing. QR codes can be found almost everywhere, helping people access useful information and other webpages as fast as they can open their ...
7 months ago Cyberdefensemagazine.com
Understanding Vishing and Quishing: Protecting Yourself Against Telephone and QR Code Scams - Employing tactics such as urgent requests or threats of repercussions, these scammers manipulate victims into compliance. A vishing scam might involve a caller impersonating a bank representative, claiming an account issue that necessitates immediate ...
7 months ago Cysecurity.news
QR Code Phishing Attacks Target High-Level Executives: Report - C-level executives and others in managerial positions are by far the top targets of increasingly popular phishing attacks that involve malicious QR codes. Bad actors know that if they can get into the email of a highly placed executive, it opens up ...
10 months ago Securityboulevard.com
Microsoft Incident Response lessons on preventing cloud identity compromise - Microsoft Incident Response is often engaged in cases where organizations have lost control of their Microsoft Entra ID tenant, due to a combination of misconfiguration, administrative oversight, exclusions to security policies, or insufficient ...
1 year ago Microsoft.com
QR Code Scammers are Changing Tactics to Evade Detection - Check Point researchers last year saw a 587% increase between August and September of phishing attacks enticing unsuspecting targets to click on QR codes that then redirect them to malicious pages used for harvesting credentials. The cybersecurity ...
10 months ago Securityboulevard.com
CVE-2008-7092 - Multiple cross-site scripting (XSS) vulnerabilities in Unica Affinium Campaign 7.2.1.0.55 allow remote attackers to inject arbitrary web script or HTML via a Javascript event in the (1) url, (2) PageName, and (3) title parameters in a ...
7 years ago
QR Code 'Quishing' Attacks on Execs Surge, Evading Email Security - Email attacks relying on QR codes surged in the last quarter, with attackers specifically targeting corporate executives and managers, reinforcing recommendations that companies place additional digital protections around their business leadership. ...
10 months ago Darkreading.com
"Quishing" you a Happy Holiday Season - QR Code phishing scams - What they are and how to avoid them. Originally invented to keep track of car parts in the early 90s, QR codes have been around for decades. Quishing, or QR Code phishing, exploits smartphone users scanning the 2D barcode, ...
1 year ago Netcraft.com
Hackers Abused Microsoft's "Verified Publisher" OAuth Apps to Hack Corporate Email Accounts - Microsoft on Tuesday said it took steps to disable fake Microsoft Partner Network accounts that were used for creating malicious OAuth applications as part of a malicious campaign designed to breach organizations' cloud environments and steal email. ...
1 year ago Thehackernews.com
Russian Cyberattackers Launch Multiphase PsyOps Campaign - Russia-linked threat actors employed both PysOps and spear-phishing to target users over several months at the end of 2023 in a multiwave campaign aimed at spreading misinformation in Ukraine and stealing Microsoft 365 credentials across Europe. The ...
10 months ago Darkreading.com
Raspberry Robin malware evolves with early access to Windows exploits - Recent versions of the Raspberry Robin malware are stealthier and implement one-day exploits that are deployed only on systems that are susceptible to them. One-day exploits refer to code that leverages a vulnerability that the developer of the ...
10 months ago Bleepingcomputer.com
An Argument for Coordinated Disclosure of New Exploits - There were more than 23,000 vulnerabilities discovered and disclosed. While not all of them had associated exploits, it has become more and more common for there to be a proverbial race to the bottom to see who can be the first to release an exploit ...
6 months ago Darkreading.com
What SOCs Need to Know About Water Dybbuk - According to the Federal Bureau of Investigation, BEC costs victims more money than ransomware, with an estimated US$2.4 billion being lost to BEC in the US in 2021. Recently, BEC scammers have been using stolen accounts from legitimate Simple Mail ...
1 year ago Trendmicro.com
CERT-UA warns of malware campaign conducted by threat actor UAC-0006 - Threat actors may have exploited a zero-day in older iPhones, Apple warns. Microsoft fixed two zero-day bugs exploited in malware attacks. Threat actors actively exploit JetBrains TeamCity flaws to deliver malware. Recent DarkGate campaign exploited ...
6 months ago Securityaffairs.com
Microsoft Disables Verified Partner Accounts Used for OAuth Phishing - Microsoft has disabled multiple fraudulent, verified Microsoft Partner Network accounts for creating malicious OAuth applications that breached organizations cloud environments to steal email. In a joint announcement between Microsoft and Proofpoint, ...
1 year ago Bleepingcomputer.com
Data thieves abuse Microsoft's 'verified publisher' status The Register - Miscreants using malicious OAuth applications abused Microsoft's "Verified publisher" status to gain access to organizations' cloud environments, then steal data and pry into to users' mailboxes, calendars, and meetings. According to researchers with ...
1 year ago Packetstormsecurity.com
New Microsoft Incident Response guides help security teams analyze suspicious activity - Today Microsoft Incident Response are proud to introduce two one-page guides to help security teams investigate suspicious activity in Microsoft 365 and Microsoft Entra. These guides contain the artifacts that Microsoft Incident Response hunts for ...
11 months ago Microsoft.com
How to manage a migration to Microsoft Entra ID - Microsoft Entra ID, formerly Azure Active Directory, is not a direct replacement for on-premises Active Directory due to feature gaps and alternative ways to perform similar identity and access management tasks. For some organizations, a move to ...
11 months ago Techtarget.com
Iranian Phishing Campaign Targets Israel-Hamas War Experts - Iran-linked threat actors are targeting high-profile researchers working on the Israel-Hamas conflict via a sophisticated social engineering campaign, according to Microsoft Threat Intelligence. The threat actor Mint Sandstorm, which has ties to ...
11 months ago Infosecurity-magazine.com
Financially motivated threat actors misusing App Installer - Since mid-November 2023, Microsoft Threat Intelligence has observed threat actors, including financially motivated actors like Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, utilizing the ms-appinstaller URI scheme to distribute malware. In ...
11 months ago Microsoft.com
Microsoft notifies UK customers affected by hackers abusing 'verified publisher' tag - Microsoft said it has notified customers impacted by a campaign that involved the abuse of the company's "Verified publisher" status to allow access to a victim's cloud environments. Accounts can gain verified publisher status when an app publisher ...
1 year ago Therecord.media
Cybercriminals expand targeting of Iranian bank customers with known mobile malware - Researchers have uncovered more than 200 fake mobile apps that mimic major Iranian banks to steal information from their customers. The campaign was first discovered in July of this year, but since then, the cybercriminals have expanded their ...
1 year ago Therecord.media
Microsoft reveals how hackers breached its Exchange Online accounts - Microsoft confirmed that the Russian Foreign Intelligence Service hacking group, which hacked into its executives' email accounts in November 2023, also breached other organizations as part of this malicious campaign. On January 12, 2024, Microsoft ...
10 months ago Bleepingcomputer.com
'PhantomBlu' Cyberattackers Backdoor Microsoft Office Users via OLE - A malicious email campaign is targeting hundreds of Microsoft Office users in US-based organizations to deliver a remote access trojan that evades detection, partially by showing up as legitimate software. Threat actors previously have used the RAT ...
9 months ago Darkreading.com
Global malspam targets hotels, spreading Redline and Vidar stealers - The latest global malspam campaign targets the hotel industry, emphasizing the need to stay alert against such attacks at all times. Cybersecurity researchers at Sophos X-Ops have issued a warning to the hospitality industry about a sophisticated ...
1 year ago Hackread.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)