By Brandon Cook and Brooke McLain, Cofense Phishing Defense Center
In the fast-paced world of social media, new threats are emerging every day, and not all of them come from where you’d expect. The Cofense Phishing Defense Center (PDC) intelligence team recently observed a phishing campaign that cleverly uses TikTok URLs to redirect users to malicious sites. The phishing emails attempt to harvest Microsoft Office 365 credentials by sending a deceptive notice that falsely claims that all the user’s messages will be deleted. The surprising element here is the use of TikTok to redirect victims into a credential-stealing trap.
This tactic isn't entirely new, as we've seen phishing attempts leveraging popular social media platforms, such as YouTube or Facebook, before to spread malicious links. However, the use of TikTok in this case stands out. Usually, these types of URLs appear in the bios of TikTok profiles that have links to external websites. The TikTok URL will redirect to whatever site the profile holder chooses. By using TikTok URLs, attackers bypass some user suspicion and capitalize on the trust many have in the platform. This method of exploiting a legitimate site to redirect to a malicious one highlights the evolving nature of phishing campaigns and the need for continuous vigilance online.
Figure 1: Email Body
In this case, the threat actor poses the email as if it is an Office 365 alert from the user’s company IT department urging the user to follow a URL to cancel a request to delete emails in their inbox—a common tactic used to incite fear and scare the user if action is not taken. The threat actor also attempts to make the email appear as if it is coming from the user’s IT department, but the sender’s email address is from an unrelated domain. The color of the button that the user is prompted to follow stands out from the rest of the email, but otherwise, the button is suspiciously plain. It also contains the link that utilizes TikTok as its initial domain for the redirect.
Figure 2: Phishing Page
Once the user clicks the link containing the TikTok URL, they go through various redirects before landing on the final phishing page, which somewhat resembles a legitimate Microsoft login page with the company’s logo. It even goes far enough to autofill the user’s email address. Because of these tricks, the user is more likely to believe they have been sent to a genuine login site. This is a typical strategy used by threat actors because Microsoft is one of the most common email providers. The URL in Figure 2 is certainly not related to Microsoft or the user’s company. The phishing page also includes a section telling users to follow a link or call a phone number for assistance if they have trouble signing in. While the phone number does lead back to the company, the URL redirects back to the phishing page—a tactic used by scammers to make their phishing page seem more realistic and build trust with users.
This campaign highlights the increasing sophistication of threat actors who exploit social media platforms to deceive recipients. By exploiting TikTok's popularity to potentially bypass suspicion and by impersonating a company’s IT department with false urgent messages, attackers exploit both user trust and fear of data loss. Being cautious of where emails originate from and staying alert for unfamiliar or unrelated URLs is key to safeguarding against evolving threats like this. Contact the Cofense PDC team to learn more.
Indicators of Compromise | IP |
hXXps://www.tiktok[.]com/link/v2?aid=1988&lang=en&scene=bio_url&target=google.com[.]////amp/s/reidopurificador[.]com[.]br//////xone/zbxrz | 184.25.127.68 |
hXXp://reidopurificador[.]com[.]br//////xone/zbxrz/ | 191.252.144.224 |
hXXps://dffkkffjkd.faisalassociates[.]com[.]pk | 147.182.205.62 |
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.