Lead Analysts: Jeewan Singh Jalal, Prabhakaran Ravichandhiran and Anand Bodke
KnowBe4 Menace Labs has uncovered an rising superior phishing marketing campaign focusing on Microsoft 365 customers globally to steal their credentials. The attackers are wielding a strong new instrument that’s utterly altering the sport for cybercriminals—turning what was advanced, technical phishing setups into easy one-click launches that may bypass sure technical controls.
Welcome to the period of “Quantum Route Redirect.”
Our analysts first noticed assaults utilizing Quantum Route Redirect in early August in each KnowBe4 PhishER Plus and KnowBe4 Defend. A brand new phishing package on the market, Quantum Route Redirect comes with a pre-configured arrange and phishing domains that considerably simplifies a as soon as technically advanced marketing campaign circulate, additional “democratizing” phishing for much less expert cybercriminals.
Phishing Assault Abstract
Vector and sort: Electronic mail phishing
Strategies: Impersonation, quishing, automated bot filtering through Quantum Route Redirect system, credential harvesting web sites
Targets: Microsoft 365 customers
From a goal’s perspective, the campaigns begin with a phishing e mail. You possibly can see within the examples under that attackers are casting a large web through numerous themes and techniques designed to maximise sufferer engagement. These embody:
- Docusign and different service settlement impersonation
- Payroll impersonation
- Cost notification emails
- “Missed voicemail messages”
- QR code phishing (quishing)
Docusign impersonation e mail despatched in Quantum Route Redirect marketing campaign, displayed within the KnowBe4 PhishER dashboard.
Phishing e mail impersonating goal’s HR crew despatched in Quantum Route Redirect marketing campaign, displayed within the KnowBe4 PhishER dashboard.
Cost notification e mail despatched in Quantum Route Redirect marketing campaign, displayed within the KnowBe4 PhishER dashboard.
Every variant finally funnels recipients towards the identical objective: credential harvesting pages which are managed through Quantum Route Redirect.
Our researchers additionally noticed that the area URLs persistently observe the sample “/([wd-]+.){2}[w]{,3}/quantum.php/” and are usually hosted on parked or compromised domains. The selection to host on official domains will help to socially engineer the human targets of those assaults. Model impersonation is commonly a strong instrument in a hacker’s package, as persons are usually extra trusting of established firms.
Meet Quantum Route Redirect: The Phishing Platform That Modifications All the pieces
Quantum Route Redirect is a complicated automation platform that streamlines all the phishing marketing campaign course of, from site visitors rerouting to sufferer monitoring. Our safety researchers have recognized roughly 1,000 domains presently internet hosting this instrument.
Admin login web page for Quantum Route Redirect occasion.
Preliminary indicators point out that Quantum Route Redirect has longevity. Just like official providers, phishing package house owners must innovate to maintain clients engaged—and renewing. Our risk analysts are conscious of an upcoming improve for this package that can embody QR code technology capabilities to allow Quantum Route Redirect customers to considerably scale quishing assaults linked to the marketing campaign.
The instrument’s sophistication lies in its simplicity. The package comes with a preconfigured setup that removes the technical experience wanted to launch such a classy phishing marketing campaign—which in flip can improve the amount of superior phishing assaults focusing on organizations globally.
Cybercriminals must get via the technical defenses that organizations have in place to succeed in their supposed targets. For this marketing campaign, Microsoft Alternate On-line Safety (EOP) is the primary hurdle, because it’s current in all the goal organizations. Some organizations may additionally proceed to make use of a safe e mail gateway (SEG), creating one other layer to bypass. Lastly, organizations are more and more deploying built-in cloud e mail safety (ICES) merchandise—which is commonly probably the most troublesome layer to get via.
URL scanning is one detection mechanism that these applied sciences depend on. Some applied sciences analyze URLs on the level of supply solely, quarantining suspicious emails and routing seemingly protected ones to a consumer’s inbox. This led to post-delivery weaponization, with cybercriminals altering the top vacation spot as soon as the e-mail had handed this preliminary evaluation. Because of this, some merchandise (like KnowBe4 Defend) additionally carry out time-of-click evaluation, blocking a consumer from visiting a phishing web site if the URL is weaponized after supply.
Quantum Route Redirect goals to stage up phishing hyperlink payloads by routinely differentiating between and managing several types of “guests.” When scanning a hyperlink, safety instruments are redirected to official web sites and subsequently will be led to consider the unique e mail is innocent, permitting the recipient to work together with it. Folks—the real victims—in the meantime are despatched on to phishing webpages. Primarily, the instrument goals to automate the neutralization of sure e mail safety defenses. Our Menace Lab analysts have additionally noticed this redirect filtering deceive internet utility firewall merchandise, enabling assaults to bypass a number of completely different layers of safety.
The diagram under outlines the redirection system that makes use of clever routing to deal with several types of guests primarily based on whether or not their traits outline them as a bot or a human.
Quantum Route Redirect system circulate.
An assault despatched utilizing Quantum Route Redirect follows this circulate:
- Preliminary site visitors: The hyperlink is activated by a safety expertise (bot) scanning it or an individual clicking on it. This request is captured by Quantum Route Redirect and despatched for processing.
- Centralized determination making in Quantum Route Redirect: The core routing engine analyzes all incoming site visitors, utilizing behavioral evaluation to intelligently differentiate between bots and people. This engine acts as a site visitors classifier and router.
- Routing consequence A—bot site visitors: Bots are recognized and redirected to a protected URL, stopping them from reaching the precise phishing web site. This protects the phishing infrastructure from being found by safety scanners and will increase the possibilities that the e-mail will likely be interacted with by an individual (except it’s detected as malicious via one other mechanism).
- Routing consequence B—human site visitors: Guests which are recognized as human are directed to the precise phishing web site, the place cybercriminals try to steal their Microsoft 365 credentials
The Quantum Route Redirect system additionally gives admin entry for the cybercriminals working these campaigns, with two easy-to-use and smooth administration interfaces:
- Configuration panel: Used to handle redirect guidelines, settings and routing logic
- Customer stats: Monitoring dashboards used to view analytics, corresponding to site visitors information, to find out the success of the marketing campaign
Options That Make Cybercrime Easy
Quantum Route Redirect contains a number of key capabilities that remove technical limitations to working a classy phishing marketing campaign:
- Bot detection and evasion: Routinely distinguishes between human and automatic site visitors
- Clever site visitors routing: Handles customer sorting with out guide intervention
- Simplified analytics dashboard: Delivers complete sufferer information together with location, machine sort, and browser info in an intuitive format
- Actual-time monitoring: Shows marketing campaign efficiency and success metrics with out requiring technical experience
The platform automates browser fingerprinting and VPN/proxy detection, which allows it to find out when it’s a safety instrument checking a hyperlink versus when it’s an actual consumer. The redirection course of is well managed via the straightforward admin interface.
A dashboard additionally allows cybercriminals to maintain observe of the entire variety of impressions for potential victims (people) and safety instruments (bots) to measure their campaigns’ effectiveness (see under).
Quantum Route Redirect system dashboard.
International Affect by the Numbers
This marketing campaign has efficiently compromised victims throughout 90 international locations, demonstrating exceptional worldwide attain. The US has borne the brunt of the assaults thus far, accounting for 76% of affected customers, whereas the remaining 24% are distributed worldwide—making the scope of this risk actually world.
Distribution of Quantum Route Redirect Assault Targets
Map of Quantum Route Redirect Assault Targets
Constructing Defenses In opposition to the New Actuality
Sadly, we consider the expertise behind Quantum Route Redirect is right here to remain and can seemingly improve in use as cybercriminals look to evade URL scanning applied sciences.
Nonetheless, it’s not all doom and gloom—organizations can implement strong defenses in opposition to phishing campaigns despatched utilizing methods like Quantum Route Redirect.
Technical Controls
Cybersecurity groups are locked in a relentless cat-and-mouse battle with cybercriminals and consequently must companion with best-of-breed cybersecurity firms that present refined technical controls that adapt as assaults evolve.
When detecting assaults inside Quantum Route Redirect campaigns, a main distinction between built-in cloud e mail safety merchandise (like KnowBe4 Defend) and conventional e mail safety (corresponding to SEGs) is their use of pure language processing (NLP) and pure language understanding to investigate the content material of an e mail message. This functionality sits alongside components corresponding to URL (and different payload) evaluation, area evaluation, impersonation detection and polymorphic detection—and when all mechanisms are mixed collectively, this gives a far larger scope to precisely assess whether or not an e mail is a phishing assault or not.
Moreover, organizations want to make sure each their e mail safety and internet utility firewall merchandise are able to offering strong URL filtering to keep away from being deceived by these technical assaults.
Missed voicemail message phishing e mail despatched in Quantum Route Redirect marketing campaign, with KnowBe4 Defend anti-phishing banners utilized and displayed within the KnowBe4 PhishER dashboard.
Organizations also needs to put money into sandboxing applied sciences so that they—or their managed safety service supplier (MSSP)—can examine emails to grasp the varieties of assault focusing on their group, in addition to instruments that present steady monitoring for account compromise ought to an worker’s credentials get harvested.
Leverage Human Danger Administration (HRM) to Enhance Consumer Consciousness
Cybersecurity groups need to be lightning quick: as quickly as new threats emerge, they need to improve consciousness throughout the group. Human Danger Administration (HRM) helps them to just do that. A HRM platform combines deep behavioral analytics, product telemetry and risk intelligence to generate extremely correct threat scores for every particular person consumer. From right here, the platform can then automate technical controls and hyper-personalized coaching to intervene and coach customers after they want it most—on the level of threat.
Electronic mail risk intelligence will also be used to tell company-wide schooling. As varieties of assault—corresponding to quishing—peak, cybersecurity groups can guarantee their colleagues are receiving probably the most related consciousness coaching potential.
Actual phishing assaults—like these despatched in Quantum Route Redirect—will be flipped into phishing simulations, offering extremely correct coaching on (“de-fanged”) real-world threats, so customers are higher ready for precise assaults.
Lastly, all of this may be fed again into organizational insurance policies, which may then inform wider HRM and consciousness initiatives.
Coverage and Process Preparedness
Each group ought to have a fast response process for credential compromise. As soon as an alert is triggered in account compromise and Microsoft 365 exercise monitoring instruments, cybersecurity groups must put a ready-made plan into motion. This contains having the ability to isolate the compromised consumer and block any additional entry to methods and information, and carry out digital forensics to completely perceive the extent of the compromise.
Understanding the necessity to contain regulatory our bodies and regulation enforcement can also be essential to each assist sort out cybercrime extra broadly and guarantee compliance with any crucial rules.
Getting Forward of Quantum Route Redirect
Quantum Route Redirect represents a regarding evolution in cybercrime accessibility. By eradicating technical limitations, it is enabling a brand new technology of risk actors to launch refined campaigns with minimal experience.
Nonetheless, whereas assaults are scaling globally, it’s nonetheless potential for organizations to remain one step forward. For cybersecurity professionals, this is not simply useful—it is important for getting ready efficient defenses in opposition to a extra “democratized” phishing panorama forward.
Reviewing the group’s present tech stack and making any crucial changes now will assist cybersecurity groups to remain forward of assaults that leverage this expertise, in addition to regardless of the subsequent wave of rising assaults will even maintain.
