Threat Actors Bypass Gateways with Google Ad Redirects

Share Now


[vc_row][vc_column animation_iteration=”1″][mvc_infobox info_style=”mega_info_box_2″ info_opt=”show_icon” icon_size=”35″ icon_height=”75″ icon_radius=”15px” border_width=”2″ title_color=”#cd202c” font_icon=”fa fa-exclamation-triangle” icon_color=”#cd202c” border_clr=”#dd3333″ info_title=”Phish Found in Environments Protected by SEGs” title_size=”25″ css=”.vc_custom_1596132334853{margin-top: 20px !important;margin-bottom: 30px !important;}” hoverclr=”#cd202c” icon_bg=”#ffffff” hoverbg=”#ffffff” caption_url=””]

Microsoft 365 EOP

[/mvc_infobox][/vc_column][/vc_row][vc_row][vc_column][vc_column_text c_id=”.vc_1596048441970″]By Dylan Main and Harsh Patel, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) has observed a phishing campaign that attempts to steal Office 365 login credentials by luring employees to accept a new Terms of Use and Privacy Policy. This new campaign has been seen across multiple organizations and uses advanced techniques to garner employee login credentials, including a Google Ad Services redirect to fool email gateways.[/vc_column_text][vc_single_image image=”21655″ img_size=”large” alignment=”center” onclick=”link_image”][vc_column_text c_id=”.vc_1596048624754″]

Figure 1: Headers

The originating IP in the headers of this email proved its source was coming from a legitimate account with the ‘from’ address “[email protected][.]co[.]za” It appeared as though this email address was compromised and then used to send the phish to multiple employees. The word “security” in the from address could potentially lull the user into trusting the email’s origin.[/vc_column_text][vc_single_image image=”21668″ img_size=”large” alignment=”center” onclick=”link_image”][vc_column_text c_id=”.vc_1596048650754″]

Figure 2: Email Preview

At first glance, the user will see “This message was sent with High Importance.” Again, the from address contains the word security and the subject talks about a “Recent Policy Change,” creating urgency to click and handle the matter immediately.

The email body talks about accepting the newly updated “Terms of Use & Privacy Policy.” Also, it notes how this new policy will affect personal data and discontinue all active services on the user’s account. Curious users will likely want to “Learn More.”

Figure 3 shows the URL embedded in both buttons, “Accept” and “Learn More”:[/vc_column_text][vc_single_image image=”21669″ img_size=”large” alignment=”center” onclick=”link_image”][vc_column_text c_id=”.vc_1596048680863″]

Figure 3: URL redirect of the buttons

As seen in the above figure, the threat actor has utilized a Google Ad Services redirect to pilot users to their phish. This suggests that the threat actor(s) may have paid to have the URL go through an authorized source. In turn, this easily bypasses secure email gateways and exposes employees to the phish.

Upon clicking on either button, users are redirected to a duplicate of the real Microsoft page at the URL:


 On this page users are presented with a pop up of the privacy policy the email mentions. In this window there are two notable logos as well, a Microsoft logo and the user’s company’s logo, in a bid to make this page appear that much more legitimate. Scrolling through the text box you can see the Privacy Statement was taken from Microsoft’s website.

[/vc_column_text][vc_single_image image=”21662″ img_size=”large” alignment=”center” onclick=”link_image”][vc_column_text c_id=”.vc_1596049249927″]

Figure 4: First Page of the phishing attack

After accepting the updated policy, the user is then redirected to a Microsoft login page, which impersonates the Office 365 login page. An employee who enters their credentials and clicks “Next” will have sent the Threat Actor(s) their Microsoft credentials and compromised their account.[/vc_column_text][vc_single_image image=”21661″ img_size=”large” alignment=”center” onclick=”link_image”][vc_column_text c_id=”.vc_1596058233949″]

Figure 5: Second Page (The actual phishing)

Following the login page, users find further reason to believe the update is legitimate, one more box saying, “We’ve updated our terms.” Upon clicking the “Finish” button, they’ll be all set.[/vc_column_text][vc_single_image image=”21660″ img_size=”large” alignment=”center” onclick=”link_image”][vc_column_text c_id=”.vc_1596058288877″]

Figure 6: Third Page (Post entering credentials)

Last step: users are redirected to the legitimate Microsoft page, their Service Agreement, to complete the scam. Nothing malicious here!

[/vc_column_text][vc_single_image image=”21664″ img_size=”large” alignment=”center” onclick=”link_image”][vc_column_text c_id=”.vc_1596118047550″]

Figure 7: Final Page (Official Microsoft site)

LEARN MORE about the Cofense Phishing Defense Center. See how the PDC’s managed phishing response and remediation stops the phishing attacks that elude email gateways.


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.



We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.

This site is registered on as a development site.