Cybersecurity researchers at Cyderes, led by Ethan Fite, have uncovered a phishing trend exploiting YouTube URLs combined with Microsoft 365 password expiry lures to deceive users into divulging sensitive credentials. This clever tactic leverages legitimate-looking URLs to bypass scrutiny and bolster credibility.
Phishing emails identified in this campaign use urgent-sounding subject lines to prompt user action, such as:
“ACTION Required – [Client] Server SecurityID:[random string].” The emails warn recipients that their Microsoft 365 (O365) passwords are about to expire, urging them to act immediately by clicking a button labeled:
“Keep [USER EMAIL] Access Active.”
One of the standout tactics in this campaign is the use of fake YouTube links to obscure malicious intentions. The attackers embed URLs starting with youtube.com, followed by obfuscation characters like %20 (HTML space encoding), which mask the actual destination domain.
Another tactic involves the use of the @ symbol within URLs to manipulate how browsers interpret the link. For example:
- URL: youtube.com%20%20%20%20@maliciousdomain.net
- Destination Domain: maliciousdomain.net
Ethan Fite explains, “When a URL includes an @ symbol, browsers interpret everything before it as user credentials and redirect to the domain after the @.”
This method capitalizes on the inherent trust users place in familiar domains like YouTube while cleverly redirecting them to phishing sites.
Researchers highlighted common traits of these phishing links:
- Excessive use of
%20to obfuscate the destination. - The inclusion of an @ symbol to divert unsuspecting users to malicious domains.
- Usage of redirectors and phishing templates from Tycoon 2FA, Mamba 2FA, and EvilProxy kits.
This campaign is particularly dangerous because it abuses well-known services like YouTube to lend credibility to phishing emails. According to the report, “Users are more likely to trust the link without inspecting it closely.” The combination of a trusted brand and urgency makes this tactic highly effective at evading suspicion.
Related Posts:
- Implement these YouTube marketing strategies in your campaigns
- Cryptocurrency Malware: The Hidden Threat Lurking on YouTube
- Hackers changed and removed a lot of popular music videos on Youtube
- Hackers Exploit YouTube for Game Cracks, Steal Your Data
- Hackers use Youtube server ads hijack the computer to dig Monero
