Open Redirect Chains Still Enable Credential Theft at Scale
Defenders can limit impact by tightening redirect governance and expanding URL detonation context in triage.
By PhishPond Desk
Trend Snapshot
Despite years of awareness, open redirects remain embedded in phishing delivery chains. Campaign operators leverage trusted brand domains as initial click points, then hand off users to credential collection pages through multiple redirect hops.
Why Defenders Care
Blue teams that inspect complete URL chains observed more consistent detection outcomes than those evaluating only first-hop domains. Redirect-aware telemetry also improved retrospective hunt quality.
Adversary Playbook
Application security teams play a direct role in phishing resilience by reducing exploitable redirect endpoints. Shared ownership between AppSec and SOC functions lowered campaign success in organizations that treated redirect abuse as a defensive priority.
Defender Takeaway
Audit and remediate open redirects as part of phishing defense, and enrich triage with full redirect-chain context.
Get the weekly phishing tradecraft brief
One concise email with new campaign notes, detection ideas, and project radar worth a defender's time.
No spam. Unsubscribe anytime. Subscriber details are used only for this publication.
Scammers abusing a real Microsoft account-alert sender are part of a wider pattern: attackers are turning legitimate SaaS notification workflows into authenticated phishing infrastructure.
Arctic Wolf's June 2 follow-up describes the Kali365 operator expanding well beyond Microsoft 365: Okta SSO, Xerox DocuShare, AWS-style endpoints, and a Russian-language cluster including MAX Messenger account takeover via real SMS OTPs. Proofpoint's research places the kit inside a broader cluster of AI-generated device-code lookalikes.
Socket attributes a coordinated supply-chain campaign called TrapDoor to roughly thirty-four packages across npm, PyPI, and Crates.io, with ecosystem-specific execution paths and a new twist: planted .cursorrules and CLAUDE.md files designed to influence the developer's AI coding assistant.