Email Security

Hackers Using YouTube Links and Microsoft 365 Themes to Steal Logins

Cybercriminals are executing sophisticated phishing attacks targeting Microsoft 365 users by employing deceptive URLs that closely resemble legitimate O365 domains, creating a high degree of trust with unsuspecting victims. 

The attackers leverage social engineering tactics, often claiming imminent password expiration, to induce panic and pressure users into clicking malicious links. 

Upon clicking, users are redirected to phishing pages designed to steal their O365 credentials, granting attackers unauthorized access to sensitive corporate data and potentially disrupting business operations.

This phishing attack utilizes a deceptive email subject line incorporating the client’s name and a seemingly legitimate security identifier. The email body falsely claims the recipient’s password has expired, creating a sense of urgency. 

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

It contains a malicious button labeled “Keep [USER EMAIL] Access Active,” designed to redirect the user to a fraudulent website where they are prompted to enter their login credentials, allowing the attacker to steal their sensitive information.

Phishing Lure

Attackers employ social engineering tactics to trick users into clicking malicious links and obfuscate URLs by incorporating seemingly legitimate prefixes like “youtube.com” followed by obfuscation characters or using the “@” symbol to redirect users to malevolent domains while maintaining a facade of legitimacy. 

According to Cyderes, users are compelled to click on the links as a result of this deception, which may put their security at risk.

series of obfuscation characters like %20

The observed malicious activity exhibits several notable indicators. Firstly, embedded URLs heavily utilize “%20” for HTML space encoding, suggesting obfuscation techniques. 

Secondly, URLs incorporate the “@” symbol to segment the URL, effectively discarding the preceding portion and treating the subsequent part as the actual domain. 

Finally, the domains employed within these URLs leverage redirectors and standard phishing templates commonly associated with known threat actors such as Tycoon 2FA, Mamba 2FA, and EvilProxy kits. 

In a typical URL structure, everything before the “@” symbol is considered user credentials. Browsers are designed to recognize this and redirect users to the domain after the “@.” 

For example, a URL like “youtube.com%20%20%20%20@testing123.net” would redirect users to “testing123.net” even though it appears to be linked to YouTube.

The technique deceives users into trusting the link because it leverages a legitimate service (YouTube in this case) within the URL and users might click the link without double-checking the actual destination.

Phishing emails often contain IOCs, such as suspicious URLs and subject lines as a phishing URL with the domain globaltouchmassage.net and a subject line mentioning “ACTION Required – [Client] Server SecurityID:[random string]”. 

To mitigate phishing risks, educate users to inspect URLs for unusual characters and be wary of urgent emails about passwords or accounts. Deploy URL filtering and blocklists to catch suspicious domains, and use Sandbox tools to analyze suspicious links safely.

Find this News Interesting! Follow us on Google NewsLinkedIn, and X to Get Instant Updates!

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Ivanti Fully Patched Connect Secure RCE Vulnerability That Actively Exploited in the Wild

Ivanti has issued an urgent security advisory for CVE-2025-22457, a critical vulnerability impacting Ivanti Connect…

1 day ago

Beware! Weaponized Job Recruitment Emails Spreading BeaverTail and Tropidoor Malware

A concerning malware campaign was disclosed by the AhnLab Security Intelligence Center (ASEC), revealing how…

1 day ago

EncryptHub Ransomware Uncovered Through ChatGPT Use and OPSEC Failures

EncryptHub, a rapidly evolving cybercriminal entity, has come under intense scrutiny following revelations of operational…

1 day ago

PoisonSeed Targets CRM and Bulk Email Providers in New Supply Chain Phishing Attack

A sophisticated phishing campaign, dubbed "PoisonSeed," has been identified targeting customer relationship management (CRM) and…

1 day ago

Beware! Fake Unpaid Tolls Messages Used in Phishing Attack to Steal Login Credentials

A surge in phishing text messages claiming unpaid tolls has been linked to a massive…

1 day ago

State Bar of Texas Confirms Data Breach, Begins Notifying Affected Consumers

The State Bar of Texas has confirmed a data breach following the detection of unauthorized…

1 day ago