Attackers have been observed using a new Phishing-as-a-Service (PaaS) kit to steal credentials from Microsoft 365 users.
According to researchers at KnowBe4 Threat Labs, the kit, known as “Quantum Route Redirect”, has been used in the wild since August this year. Although the attacks have been globally distributed, almost 80% have been targeted towards US users.
The phishing kit is an “advanced automation platform” that comes with everything an attacker might need to carry out a phishing attack, including a pre-configured setup and the ability to reroute traffic to one of around 1,000 ready-made phishing domains.
This convenient packaging makes Quantum Route Redirect accessible to even less technically-savvy cybercriminals, the researchers say, by “turning what used to be complex, technical phishing setups into simple one-click launches that can bypass certain technical controls.”
The attack campaign involves the attacker sending their target an email that, on interaction, redirects the victim to a credential harvesting page managed by the phishing kit. To maximize victim engagement, the attackers have been using a wide range of subjects and themes across these emails, including Docusign and payroll/HR impersonation, and faux payment notifications.
A phishing email impersonating Docusign as part of a Quantum Route Redirect campaign. Source: KnowBe4.
To further avoid suspicion, the kit is able to distinguish between bot and human visitors. This means that it can redirect potential victims to a phishing page, while sending email security tools (such as URL scanning technologies) to a benign site.
“When scanning a hyperlink, security tools are redirected to legitimate websites and therefore can be led to believe the original email is harmless, allowing the recipient to interact with it,” KnowBe4 explains.
Whilst all of this is going on, the attacker can log in to a streamlined dashboard from which they can measure the effectiveness of their campaign in real-time.
The Quantum Route Redirect administrative console. Source: KnowBe4.
The Bigger Picture
PaaS platforms such as Quantum Route Redirect lower the barrier of entry to cybercrime by making it incredibly easy for prospective cybercriminals to launch an attack. As such, we can expect the popularity and proliferation of these tools to increase the volume of phishing attacks targeting organizations globally, warns KnowBe4.
Additionally, these kits may not only increase the volume of phishing attacks, but also the creativity, as the developers that create them need to find new ways to keep their customers buying.
“Similar to legitimate services, phishing kit owners need to innovate to keep customers engaged—and renewing,” says KnowBe4. “Our threat analysts are aware of an upcoming upgrade for this kit that will include QR code generation capabilities to enable Quantum Route Redirect users to significantly scale quishing [QR code phishing] attacks linked to the campaign.”
The good news is that cybersecurity professionals know how phishing attacks work, which means organizations can take proactive steps to defend against them. These include implementing a web filter and a cloud-based email security solution that uses machine learning to identify and block risky messages, and training employees on how to identify and report phishing attacks.
