Diving into a new sophisticated campaign, exploiting Microsoft's Open Redirect vulnerability through quishing.
QR codes can be found almost everywhere, helping people access useful information and other webpages as fast as they can open their smartphone cameras.
No one can verify a QR code is safe just by looking at it.
In the span of just one month - from August to September - the number of quishing attacks skyrocketed by 427%. But this alarming rise is only half the problem - the approaches used to execute the attacks are growing wildly complex, incorporating advanced techniques to bypass email security solutions and utilizing increasingly clever social engineering tactics to deceive unsuspecting victims.
One such exploit was identified by Perception Point's team of analysts.
They uncovered a phishing campaign that took advantage of an open redirect vulnerability within one of Microsoft's suite of services, potentially compromising client data.
Open redirect vulnerabilities arise when a web application or server is configured in a way that allows attackers to redirect a user to an external, untrusted URL via a trusted domain.
In the case of the team's latest discovery, attackers exploited such vulnerabilities within Azure Functions - a Microsoft cloud computing platform for app developers - using parameters in URL queries that were either unvalidated or improperly sanitized.
This oversight enabled malicious actors to craft URLs that appeared to belong to Microsoft but instead would redirect users to spoofed login sites via fraudulent QR codes.
It began with a user receiving an urgently worded email from what appeared to be Microsoft Support.
Using a seemingly legitimate domain, the email easily passed the sender policy framework checks - the email authentication standard domain owners use to verify email servers, which makes it hard for threat actors to push through fake sender information undetected.
This redirected users to a malicious QR code with Microsoft's logo on it, which was hosted on a legitimate server on the popular image hosting site, Flickr.
Pairing familiar, well-established logos with malevolent QR codes is a psychological tactic that encourages people to use their less secure mobile devices, as opposed to more secure computers.
Scanning the QR code led to a series of URLs, exploiting an open redirection vulnerability in Azure Functions, creating a convincing chain of redirections that culminated in a spoofed Microsoft 365 login page.
After inserting their email address on the spoofed login page, users were redirected again; this time to the legitimate login.
Live.com - Microsoft's real login page.
The threat actor then set a session cookie on the user's device during the redirection process, allowing visibility into victims' credentials and, in turn, easily accessing their accounts.
Microsoft quickly mitigated the issue soon after the incident response team shared their findings with Microsoft's security team.
This sophisticated quishing campaign exploiting Microsoft's open redirect vulnerabilities is a testament to the ever-evolving, increasingly sophisticated nature of phishing attacks.
Organizations must stay vigilant - regularly updating security protocols and educating teams to better recognize the nascent ways cybercriminals exploit and circumvent the latest cybersecurity frameworks.
This Cyber News was published on www.cyberdefensemagazine.com. Publication date: Thu, 09 May 2024 14:43:06 +0000