Hackers Using YouTube Links and Microsoft 365 Themes to Steal Logins

Cybercriminals are executing sophisticated phishing attacks targeting Microsoft 365 users by employing deceptive URLs that closely resemble legitimate O365 domains, creating a high degree of trust with unsuspecting victims. 

The attackers leverage social engineering tactics, often claiming imminent password expiration, to induce panic and pressure users into clicking malicious links. 

Upon clicking, users are redirected to phishing pages designed to steal their O365 credentials, granting attackers unauthorized access to sensitive corporate data and potentially disrupting business operations.

This phishing attack utilizes a deceptive email subject line incorporating the client’s name and a seemingly legitimate security identifier. The email body falsely claims the recipient’s password has expired, creating a sense of urgency. 

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

It contains a malicious button labeled “Keep [USER EMAIL] Access Active,” designed to redirect the user to a fraudulent website where they are prompted to enter their login credentials, allowing the attacker to steal their sensitive information.

Attackers employ social engineering tactics to trick users into clicking malicious links and obfuscate URLs by incorporating seemingly legitimate prefixes like “youtube.com” followed by obfuscation characters or using the “@” symbol to redirect users to malevolent domains while maintaining a facade of legitimacy. 

According to Cyderes, users are compelled to click on the links as a result of this deception, which may put their security at risk.

The observed malicious activity exhibits several notable indicators. Firstly, embedded URLs heavily utilize “%20” for HTML space encoding, suggesting obfuscation techniques. 

Secondly, URLs incorporate the “@” symbol to segment the URL, effectively discarding the preceding portion and treating the subsequent part as the actual domain. 

Finally, the domains employed within these URLs leverage redirectors and standard phishing templates commonly associated with known threat actors such as Tycoon 2FA, Mamba 2FA, and EvilProxy kits. 

In a typical URL structure, everything before the “@” symbol is considered user credentials. Browsers are designed to recognize this and redirect users to the domain after the “@.” 

For example, a URL like “youtube.com%20%20%20%20@testing123.net” would redirect users to “testing123.net” even though it appears to be linked to YouTube.

The technique deceives users into trusting the link because it leverages a legitimate service (YouTube in this case) within the URL and users might click the link without double-checking the actual destination.

Phishing emails often contain IOCs, such as suspicious URLs and subject lines as a phishing URL with the domain globaltouchmassage.net and a subject line mentioning “ACTION Required – [Client] Server SecurityID:[random string]”. 

To mitigate phishing risks, educate users to inspect URLs for unusual characters and be wary of urgent emails about passwords or accounts. Deploy URL filtering and blocklists to catch suspicious domains, and use Sandbox tools to analyze suspicious links safely.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!