Here’s an M365 Phishing Attack That’s More Difficult to Spot Using the Link Hover Method: Cybersecurity Trends

According to a report on ZDNet, Microsoft has warned customers that they’re being targeted by a widespread M365 phishing campaign aimed at nabbing usernames and passwords.  And spotting it by hovering over the link to reveal the bogus website may be more difficult.

As illustrated by the graphic above, the ongoing M365 phishing campaign is using multiple links; clicking on them results in a series of redirections that lead victims to a Google reCAPTCHA page that leads to a bogus login page where Office 365 credentials are stolen.

This particular attack relies on the email sales and marketing tool called ‘open redirects‘, which has been abused in the past to redirect a visitor to a trustworthy destination to a malicious site. Google doesn’t rate open redirects for Google URLs as a security vulnerability, but it does display a ‘redirect notice’ in the browser.


Microsoft warns this feature is being used by the phishing attackers.

“However, attackers could abuse open redirects to link to a URL in a trusted domain and embed the eventual final malicious URL as a parameter. Such abuse may prevent users and security solutions from quickly recognizing possible malicious intent,” the Microsoft 365 Defender Threat Intelligence Team warns.

This attack’s trick relies on the advice for users to hover over a link in an email to check the destination before clicking.

“Once recipients hover their cursor over the link or button in the email, they are shown the full URL. However, since the actors set up open redirect links using a legitimate service, users see a legitimate domain name that is likely associated with a company they know and trust. We believe that attackers abuse this open and reputable platform to attempt evading detection while redirecting potential victims to phishing sites,” Microsoft warns.


“Users trained to hover on links and inspect for malicious artifacts in emails may still see a domain they trust and thus click it,” it said.

Microsoft has found over 350 unique phishing domains used in this campaign, including free email domains, compromised domains, and domains automatically created by the attacker’s domain generation algorithm. The email subject headers were tailored to the tool the attacker was impersonating, such as a calendar alert for a Zoom meeting, an Office 365 spam notification, or a notice about the widely used but ill-advised password expiry policy.

The Google reCaptcha verification adds to the apparent legitimacy of the site since it is generally used by websites to confirm the user is not a bot. However, in this case, the user has been redirected to a page that looks like a class Microsoft login page and eventually leads to a legitimate page from Sophos, which does provide a service to detect this style of phishing attack.

“If the user enters their password, the page refreshes and displays an error message stating that the page timed out or the password was incorrect and that they must enter their password again. This is likely done to get the user to enter their password twice, allowing attackers to ensure they obtain the correct password.

As noted in Microsoft’s post about the M365 phishing campaign, the final domains used in the campaigns observed during this period mostly follow a specific domain-generation algorithm (DGA) pattern and use .xyz, .club, .shop, and .online top level domains. The URL shows a trusted domain followed by parameters, with the actor-controlled domain (c-hi[.]xyz in the example below) hidden in plain sight.

So, it’s there, but not easy to spot.  Given that 91% of all cyberattacks originate with email, it’s a good idea to tread carefully regarding any unexpected emails you receive that take you to a login page.  They may not be what they seem.

So, what do you think?  Did you know about this latest M365 phishing campaign?  You do now!  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Leave a Reply