October 3, 2023

Researchers tracked a phishing attack that relies on a known open redirect vulnerability tracked as CWE-601 and popular brand recognition to deceive and harvest credentials from unsuspecting Google Workspace and Microsoft 365 users.

The attacks targeted unsecured sites from Snapchat and American Express. Snapchat-based attacks resulted in more than 6,800 attacks over a two-and-a-half-month period. The American Express-based attacks were much more effective, affecting over 2,000 users in just two days


Snapchat-based emails drove users to fraudulent DocuSign, FedEx, and Microsoft sites to harvest user credentials. Snapchat’s open redirect vulnerability was initially identified by open bug bounty more than a year ago. But still it appears to be unaddressed.

American Express appears to have remediated the vulnerability, which redirected users to an O365 login page similar to the one that the Snapchat-based attacks used.

This specific phishing attack uses three primary techniques:

  • Brand impersonation
  • Credential harvesting
  • Hijacked accounts

Brand recognition relies on recognizable logos and trademarks to create a sense of trust with the potential victim leading to the user’s credentials being entered into and harvested from the fraudulent site.

Once harvested, hackers can sell the stolen information to other criminals for profit or use the information to access and obtain the victim’s personal and financial information.


Open redirect vulnerabilities don’t tend to get the same level of care and attention as other identified exploits. The risk exposure is on the user rather than the site owner.

This research was conducted and documented by researchers from Inky Security

Leave a Reply

%d bloggers like this: