Threat actors are using a relatively uncommon method involving the refresh entry in the HTTP response header in large-scale phishing campaigns. From May to July, nearly 2,000 malicious URLs using this method were observed daily, targeting the United States, South Korea, and Japan.
As Microsoft Outlook is used worldwide, threat actors have designed their phishing lure to look exactly like the Outlook login page.
Researchers discovered that threat actors used different domains. For instance, onelink[.]com peaked on May 10, 2024, and the attack continued for about one month. This malicious domain targeted more than 3,000 victims across 500 organisations.
Similarly, the go[.]link campaign had over 5,000 URLs that targeted victims in April. And in June, researchers observed yet another malicious domain guide-orientation[.]tn occurring in July.
“To trick their targets and steal their credentials, malicious links in these attacks consistently include an organisation’s email address and display an email login page pre-filled with victims’ information,” researchers explained.
Unlike traditional phishing attacks that rely on malicious HTML content, these campaigns exploit the HTTP response header to refresh or reload a webpage without user interaction automatically.
The attack begins before the HTML content is processed, allowing the browser to redirect to malicious pages with minimal interference.
Typically, the URLs used in these attacks are delivered via email, where attackers spoof webmail login pages that are pre-filled with the recipient’s information. Many of these campaigns specifically target users in the global financial sector, government institutions, and major internet portals.
The use of legitimate or compromised domains makes these attacks particularly dangerous, making the phishing URLs nearly indistinguishable from genuine links.
The emails used in these phishing campaigns are highly personalised, often embedding the target’s email address in the HTTP header refresh field. This level of customisation increases the credibility of the phishing attempts.
Recipients are presented with spoofed login pages tailored to their specific email domains, making them more likely to fall victim to credential theft. Researchers discovered that many phishing emails came from seemingly legitimate senders, such as “DocuSign” or other trusted sources, with subject lines like “Complete with DocuSign: ACH/EFT FORM.”
Cybersecurity experts found it difficult to spot malicious indicators in these attacks, as the threat actors often use legitimate domains to host the phishing pages. In many cases, URL shortening services or marketing campaign tools are exploited to further obfuscate the phishing URLs. to spot
Deep-linking techniques are also used to pre-fill forms, adding another layer of deception.
Researchers have urged organisations and individuals to utilise advanced solutions such as Advanced URL Filtering, which can detect phishing URLs and extract patterns to identify additional threats. Educating employees could also help counter this threat.
In the News: Critical privilege escalation flaw discovered in Post Grid and Gutenberg Blocks plugin