{"id":3107,"date":"2021-08-30T14:10:49","date_gmt":"2021-08-30T12:10:49","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=3107"},"modified":"2026-06-08T22:32:38","modified_gmt":"2026-06-08T22:32:38","slug":"phishing-campaign-open-redirect-abuse","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/phishing-campaign-open-redirect-abuse\/","title":{"rendered":"Phishing campaign abusing open-redirect links"},"content":{"rendered":"\n

The use of open redirects<\/strong> in email communications is common across enterprises. For example, marketing campaigns<\/strong> leverage this functionality to direct customers to a desired landing page and track click-through rates and other metrics. Attackers may similarly abuse open redirects by linking to a URL on a trusted domain while embedding the actual malicious URL as a parameter. This abuse can prevent users and security solutions from rapidly recognizing potential malicious intent.<\/p>\n\n\n\n

For instance, users may be deceived by a domain they trust and subsequently click on it. Similarly, traditional email gateway solutions may inadvertently allow these campaign emails to pass through because they recognize the primary URL but do not inspect subsequent parameters, which in this case are malicious.<\/p>\n\n\n\n

THE ATTACK<\/h2>\n\n\n\n

Phishing<\/strong> continues to grow and remains the dominant technique employed by threat actors to obtain user credentials.<\/p>\n

As recently reported by Microsoft<\/a>, campaigns have been identified in which emails appeared to follow a general pattern displaying all email content within a box with a large button directing to credential harvesting pages. Email subject lines varied depending on the tool being impersonated. Overall, subject lines were observed containing the recipient’s domain and a timestamp as shown in the following examples:<\/p>\n\n\n\n

\"\"
Figure 1. Example of phishing email masquerading as Office 365 notification<\/figcaption><\/figure>\n\n\n\n

Once recipients hover over the link or button in the email, the full URL is displayed. However, because attackers configure open redirect links using a legitimate service, users see a legitimate domain name likely associated with a company they know and trust.<\/p>\n\n\n\n

\"\"
Figure 2. Hover tooltip displaying an open redirect link with a legitimate domain and phishing link in URL parameters<\/figcaption><\/figure>\n\n\n\n

The final domains used in these campaign types follow a domain-generation algorithm<\/em><\/strong> (DGA<\/strong>) pattern and utilize .xyz<\/strong>, .club<\/strong>, .shop<\/strong>, and .online<\/strong> top-level domains. The “Review Invite” button in Figure 2 points to a URL with a trusted domain followed by parameters, with the attacker-controlled domain (c-hi[.]xyz) highlighted.<\/p>\n

These URLs are made possible by redirect services currently in use by trusted services. Such services typically allow organizations to send campaign emails with links that redirect to secondary domains. For example, a hotel might use open redirects to direct email recipients to a third-party booking website while continuing to use its primary domain in links embedded within campaign emails.<\/p>\n

Attackers abuse this functionality by redirecting to their own offensive infrastructure while maintaining the legitimate domain in the complete URL. Organizations whose open redirects are being abused are likely unaware that this is occurring. Cyber Threat Intelligence<\/a> monitoring of such abuse patterns enables detection of these campaigns at scale and identification of attacker infrastructure before credential compromise occurs at organizational scale.<\/p>\n","protected":false},"excerpt":{"rendered":"

Widespread phishing campaign weaponising open-redirect parameters on legitimate domains to bypass URL reputation filters and reach corporate inboxes.<\/p>\n","protected":false},"author":1,"featured_media":3133,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[3163,1669,1671,1441,269,3164,3162],"class_list":["post-3107","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-email-threats","tag-microsoft-it","tag-open-redirect-it","tag-phishing-it","tag-phishing","tag-t1566-002","tag-url-filtering-bypass"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3107","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=3107"}],"version-history":[{"count":2,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3107\/revisions"}],"predecessor-version":[{"id":9856,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3107\/revisions\/9856"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=3107"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=3107"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=3107"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}