In a large-scale phishing campaign designed to steal credentials, criminals are using open redirects and captchas to deceive victims, Microsoft reports. The attack starts with a phishing email that masquerades as a Zoom invitation, Microsoft 365 notification, or a message that the password has expired. Users are then prompted to open a link in the message. The attackers use an open redirect, pointing to a legitimate service. However, the link used contains a parameter pointing to the phishing site. Once a user opens the link, the open redirect at the legitimate service sends the user to the phishing site. The use of open redirects in phishing attacks is not new, Microsoft says. However, a link pointing to a trusted domain can mislead end users. When users land on the phishing page, they must first solve a captcha. The attackers may have added this captcha to prevent scan attempts and analysis of the page, which could allow the phishing page to stay online longer. After solving the captcha, the user is asked for his password, with his email address already filled in. When the victim enters his password, an error message appears and the password must be entered again. This is probably done to make the victim enter the password twice so that the attackers know they have the correct password. To send the phishing emails, the attackers use free email services, compromised legitimate domains and self-registered domain names. More than 350 unique domains were observed during the campaign. “This shows not only the magnitude of this attack, but also how much the attackers are investing in it, suggesting a potentially significant return,” Microsoft said.