Quantum Route Redirect Phishing Platform Targets Microsoft 365 Users
A new phishing-as-a-service (PhaaS) platform called Quantum Route Redirect has emerged, enabling cybercriminals to launch sophisticated credential harvesting campaigns against Microsoft 365 users worldwide. The platform dramatically lowers the technical barrier for attackers by providing a pre-configured phishing kit and a network of around 1,000 domains, allowing even less skilled threat actors to conduct large-scale phishing operations with minimal effort. Attackers use a variety of email lures, including DocuSign impersonations, payroll notifications, payment alerts, and missed voicemail messages, to direct victims to credential harvesting pages managed by the Quantum Route Redirect system.
The phishing kit automates the entire attack chain, from rerouting traffic to malicious domains to filtering out automated security tools using built-in bot detection. URLs used in these campaigns follow a consistent pattern and are often hosted on parked or compromised legitimate domains, increasing the likelihood of bypassing security controls and deceiving targets. The majority of observed attacks have targeted users in the United States, but incidents have been recorded in over 90 countries. The platform's dashboard provides real-time statistics to operators, further streamlining the management and effectiveness of global phishing campaigns.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Technical details published on redirect-based evasion used by the tool
Public reporting disclosed that the phishing tool uses intelligent redirect logic to bypass email security controls and reduce exposure to scanners or non-target visitors. The reporting highlighted the tool's role in streamlining large-scale phishing operations.
Researchers identify Quantum Route Redirect phishing kit in active campaigns
Security researchers reported on a phishing-as-a-service tool called Quantum Route Redirect that uses smart redirection techniques to tailor phishing pages and evade detection. The activity was described as targeting Microsoft 365 users on a global scale.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Phishing Tool Uses Smart Redirects to Bypass Detection
darkreading.com
Open sourceQuantum Route Redirect: Anonymous Tool Streamlining Global Phishing Attack
blog.knowbe4.com
Open sourceQuantum Route Redirect PhaaS targets Microsoft 365 users worldwide
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multi-Stage Phishing Campaigns Targeting Microsoft 365 and Cloud Services
A sophisticated, multi-stage phishing campaign has been observed targeting organizations globally to steal Microsoft 365 credentials. The operation, monitored since early November 2025, employs advanced evasion techniques such as nested PDFs, use of legitimate content delivery networks, and mouse tracking to bypass secure email gateways and multi-factor authentication. The final credential harvesting site is engineered to block security tools and analysts, and leverages legitimate Microsoft infrastructure to circumvent MFA, granting attackers immediate access to compromised accounts. These attacks highlight the increasing complexity of phishing operations and their ability to evade traditional security controls. In parallel, threat actors are exploiting free cloud hosting platforms like Cloudflare Pages to host convincing phishing portals impersonating banking and healthcare providers. These sites not only harvest credentials but also collect additional security information, such as answers to secret questions, and exfiltrate data via Telegram bots to evade detection. Attackers use compromised legitimate domains as redirectors, increasing the likelihood of bypassing spam filters and making takedown efforts more challenging. The convergence of advanced phishing techniques and abuse of trusted cloud services underscores the need for enhanced detection and response strategies for organizations relying on Microsoft 365 and similar platforms.
Mar 21, 2026
Microsoft phishing campaign stole auth tokens from 35,000 users
Microsoft disclosed a large-scale phishing campaign that targeted more than **35,000 users** at over **13,000 organizations** across **26 countries**, with most victims in the United States and concentrations in healthcare, life sciences, financial services, professional services, and technology. The operation used code-of-conduct and compliance-themed emails delivered through legitimate email services, including abuse of platforms such as Amazon SES, to make messages appear trustworthy and help them pass common email authentication checks. Victims received PDF attachments containing links that led through fake CAPTCHA and document-review pages before landing on spoofed Microsoft sign-in portals. Microsoft said the attackers used an **adversary-in-the-middle** phishing flow to capture credentials and authentication tokens in real time, allowing them to bypass weak multifactor authentication and gain immediate account access. The company described the activity as one of the most sophisticated code-of-conduct-themed credential theft campaigns it has observed and said it reflects broader trends including CAPTCHA-gated phishing, QR-code phishing, and phishing-as-a-service ecosystems such as **Tycoon 2FA**, **Kratos**, and **EvilTokens**. Microsoft urged organizations to strengthen defenses with Defender for Office 365, SmartScreen-enabled browsers, phishing awareness training, stronger authentication, conditional access policies, and automated attack disruption in Defender XDR.
May 5, 2026Microsoft Warns of Surging QR-Code Phishing After Exchange Anti-Phishing Failure
Microsoft said attackers are increasingly using **QR-code phishing** to steal credentials, with the company analyzing **8.3 billion** email-based phishing threats in Q1 2026 and recording a **146% increase** in quishing activity. Researchers said more than **35,000 users** across roughly **13,000 organizations** were targeted through emails, PDFs, and fake CAPTCHA pages carrying malicious QR codes that redirected victims through multiple sites to counterfeit login portals. Microsoft also reported a **336% surge** in QR codes embedded directly in emails in March, alongside continued business email compromise lures and phishing kits such as **Tycoon2FA**, which it disrupted with Europol before operators began rebuilding infrastructure and shifting toward `.RU` domains. The warning follows a separate Microsoft 365 security incident in which faulty heuristic anti-phishing rules in Exchange Online and Teams wrongly flagged legitimate content as malicious. The incident, tracked as **`EX1227432`**, caused valid emails to be quarantined, links to be blocked, **Zero-hour Auto Purge (ZAP)** actions to trigger incorrectly, and false **Microsoft XDR** alerts to be sent after a logic error misclassified legitimate URLs as phishing links. Microsoft said the outage was prolonged by bugs in related signature and rollback systems, underscoring how both attacker evasion and defensive misfires can disrupt cloud email security and credential protection efforts.
May 25, 2026