{"id":219186,"date":"2025-08-01T04:19:44","date_gmt":"2025-08-01T09:19:44","guid":{"rendered":"https:\/\/lifeboat.com\/blog\/2025\/08\/experts-detect-multi-layer-redirect-tactic-used-to-steal-microsoft-365-login-credentials"},"modified":"2025-08-01T04:19:44","modified_gmt":"2025-08-01T09:19:44","slug":"experts-detect-multi-layer-redirect-tactic-used-to-steal-microsoft-365-login-credentials","status":"publish","type":"post","link":"https:\/\/lifeboat.com\/blog\/2025\/08\/experts-detect-multi-layer-redirect-tactic-used-to-steal-microsoft-365-login-credentials","title":{"rendered":"Experts Detect Multi-Layer Redirect Tactic Used to Steal Microsoft 365 Login Credentials"},"content":{"rendered":"<p style=\"padding-right: 20px\"><a class=\"aligncenter blog-photo\" href=\"https:\/\/lifeboat.com\/blog.images\/experts-detect-multi-layer-redirect-tactic-used-to-steal-microsoft-365-login-credentials2.jpg\"><\/a><\/p>\n<p>A third variation of these attacks impersonates Teams in emails, claiming that they have unread messages and that they can click on the \u201cReply in Teams\u201d button embedded in the messages to redirect them to credential harvesting pages.<\/p>\n<p>\u201cBy cloaking malicious destinations with legitimate urldefense[.]proofpoint[.]com and url[.]emailprotection URLs, these phishing campaigns\u2019 abuse of trusted link wrapping services significantly increases the likelihood of a successful attack,\u201d Cloudflare said.<\/p>\n<p>When contacted by The Hacker News for comment, Proofpoint said it\u2019s aware of threat actors abusing URL redirects and URL protection in ongoing phishing campaigns, and that it\u2019s a technique the company has observed from multiple security service providers who provide similar email protection or URL rewrite solutions, such as Cisco and Sophos.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A third variation of these attacks impersonates Teams in emails, claiming that they have unread messages and that they can click on the \u201cReply in Teams\u201d button embedded in the messages to redirect them to credential harvesting pages. \u201cBy cloaking malicious destinations with legitimate urldefense[.]proofpoint[.]com and url[.]emailprotection URLs, these phishing campaigns\u2019 abuse of trusted link [\u2026]<\/p>\n","protected":false},"author":427,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[34],"tags":[],"class_list":["post-219186","post","type-post","status-publish","format-standard","hentry","category-cybercrime-malcode"],"_links":{"self":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/219186","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/users\/427"}],"replies":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/comments?post=219186"}],"version-history":[{"count":0,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/219186\/revisions"}],"wp:attachment":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/media?parent=219186"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/categories?post=219186"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/tags?post=219186"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}