But this alarming rise is only half the problem – the approaches used to execute the attacks are growing
            wildly  complex,  incorporating  advanced  techniques  to  bypass  email  security  solutions  and  utilizing
            increasingly clever social engineering tactics to deceive unsuspecting victims.

            One  such  exploit  was  identified  by  Perception  Point's  team  of  analysts.  They uncovered  a  phishing
            campaign that took advantage of an open redirect vulnerability within one of Microsoft’s suite of services,
            potentially compromising client data.




            Point of Entry

            Open redirect vulnerabilities arise when a web application or server is configured in a way that allows
            attackers to redirect a user to an external, untrusted URL via a trusted domain.


            In the case of the team’s latest discovery, attackers exploited such vulnerabilities within Azure Functions
            – a Microsoft cloud computing platform for app developers – using parameters in URL queries that were
            either unvalidated or improperly sanitized. This oversight enabled malicious actors to craft URLs that
            appeared to belong to Microsoft but instead would redirect users to spoofed login sites via fraudulent QR
            codes.



            Attack Breakdown

            How did this attack work?

            It began with a user receiving an urgently worded email from what appeared to be Microsoft Support.
            Using a seemingly legitimate domain, the email easily passed the sender policy framework (SPF) checks
            – the email authentication standard domain owners use to verify email servers, which makes it hard for
            threat actors to push through fake sender information undetected.


            The email contained a PDF attachment with the subject line: “Please fix your credentials.” The PDF
            prompted users to update their account password and email credentials by clicking on the embedded
            link. This redirected users to a malicious QR code with Microsoft’s logo on it, which was hosted on a
            legitimate server on the popular image hosting site, Flickr.

            Reassured by the familiar logo, users were prompted to scan the code with their phone camera. Pairing
            familiar,  well-established  logos  with  malevolent  QR  codes  is  a  psychological  tactic  that  encourages
            people to use their less secure mobile devices, as opposed to more secure computers. In addition, when
            using  their  phones,  users  are  less  inclined  to  scrutinize  URLs  and  adhere  to  general  security
            recommendations.

            Scanning the QR code led to a series of URLs, exploiting an open redirection vulnerability in Azure
            Functions, creating a convincing chain of redirections that culminated in a spoofed Microsoft 365 login
            page.








            Cyber Defense eMagazine – February 2024 Edition                                                                                                                                                                                                          108
            Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.