Threat Actors Bypass Gateways with Google Ad Redirects
By Dylan Main and Harsh Patel, Cofense Phishing Defense Center
Figure 1: Headers
The originating IP in the headers of this email proved its source was coming from a legitimate account with the ‘from’ address “[email protected][.]co[.]za” It appeared as though this email address was compromised and then used to send the phish to multiple employees. The word “security” in the from address could potentially lull the user into trusting the email’s origin.
Figure 2: Email Preview
At first glance, the user will see “This message was sent with High Importance.” Again, the from address contains the word security and the subject talks about a “Recent Policy Change,” creating urgency to click and handle the matter immediately.
Figure 3 shows the URL embedded in both buttons, “Accept” and “Learn More”:
Figure 3: URL redirect of the buttons
As seen in the above figure, the threat actor has utilized a Google Ad Services redirect to pilot users to their phish. This suggests that the threat actor(s) may have paid to have the URL go through an authorized source. In turn, this easily bypasses secure email gateways and exposes employees to the phish.
Upon clicking on either button, users are redirected to a duplicate of the real Microsoft page at the URL:
Figure 4: First Page of the phishing attack
After accepting the updated policy, the user is then redirected to a Microsoft login page, which impersonates the Office 365 login page. An employee who enters their credentials and clicks “Next” will have sent the Threat Actor(s) their Microsoft credentials and compromised their account.
Figure 5: Second Page (The actual phishing)
Following the login page, users find further reason to believe the update is legitimate, one more box saying, “We’ve updated our terms.” Upon clicking the “Finish” button, they’ll be all set.
Figure 6: Third Page (Post entering credentials)
Last step: users are redirected to the legitimate Microsoft page, their Service Agreement, to complete the scam. Nothing malicious here!
Figure 7: Final Page (Official Microsoft site)
LEARN MORE about the Cofense Phishing Defense Center. See how the PDC’s managed phishing response and remediation stops the phishing attacks that elude email gateways.
Indicators of Compromise: