Quantum Route Redirect Phishing Platform Targets Microsoft 365 Users
A new phishing-as-a-service (PhaaS) platform called Quantum Route Redirect has emerged, enabling cybercriminals to launch sophisticated credential harvesting campaigns against Microsoft 365 users worldwide. The platform dramatically lowers the technical barrier for attackers by providing a pre-configured phishing kit and a network of around 1,000 domains, allowing even less skilled threat actors to conduct large-scale phishing operations with minimal effort. Attackers use a variety of email lures, including DocuSign impersonations, payroll notifications, payment alerts, and missed voicemail messages, to direct victims to credential harvesting pages managed by the Quantum Route Redirect system.
The phishing kit automates the entire attack chain, from rerouting traffic to malicious domains to filtering out automated security tools using built-in bot detection. URLs used in these campaigns follow a consistent pattern and are often hosted on parked or compromised legitimate domains, increasing the likelihood of bypassing security controls and deceiving targets. The majority of observed attacks have targeted users in the United States, but incidents have been recorded in over 90 countries. The platform's dashboard provides real-time statistics to operators, further streamlining the management and effectiveness of global phishing campaigns.
Sources
Related Stories
Multi-Stage Phishing Campaigns Targeting Microsoft 365 and Cloud Services
A sophisticated, multi-stage phishing campaign has been observed targeting organizations globally to steal Microsoft 365 credentials. The operation, monitored since early November 2025, employs advanced evasion techniques such as nested PDFs, use of legitimate content delivery networks, and mouse tracking to bypass secure email gateways and multi-factor authentication. The final credential harvesting site is engineered to block security tools and analysts, and leverages legitimate Microsoft infrastructure to circumvent MFA, granting attackers immediate access to compromised accounts. These attacks highlight the increasing complexity of phishing operations and their ability to evade traditional security controls. In parallel, threat actors are exploiting free cloud hosting platforms like Cloudflare Pages to host convincing phishing portals impersonating banking and healthcare providers. These sites not only harvest credentials but also collect additional security information, such as answers to secret questions, and exfiltrate data via Telegram bots to evade detection. Attackers use compromised legitimate domains as redirectors, increasing the likelihood of bypassing spam filters and making takedown efforts more challenging. The convergence of advanced phishing techniques and abuse of trusted cloud services underscores the need for enhanced detection and response strategies for organizations relying on Microsoft 365 and similar platforms.
3 months agoMulti-Stage Phishing Campaigns Bypassing MFA to Steal Microsoft 365 Credentials
A wave of sophisticated phishing campaigns is targeting organizations globally to steal Microsoft 365 credentials by bypassing traditional email security gateways and multi-factor authentication (MFA) protections. Attackers are employing advanced techniques such as multi-stage payload delivery using nested PDF attachments, legitimate content delivery networks, and mouse tracking to evade detection. Once victims interact with these emails and enter their credentials on a credential harvesting site, attackers leverage legitimate Microsoft infrastructure to bypass MFA and gain immediate access to the victim’s Microsoft 365 environment. These campaigns are engineered to filter out security analysts and block standard security tools, making detection and response more challenging. In parallel, threat actors are increasingly using attacker-in-the-middle toolkits like Evilginx and hybrid phishing-as-a-service kits such as Salty2FA and Tycoon2FA to capture both user credentials and session cookies. By stealing session cookies, attackers can impersonate users and maintain access without triggering additional MFA prompts, even after successful authentication. The blending of different phishing kits into hybrid strains is making detection harder, as traditional security rules tuned to individual kits are now being evaded. Security researchers warn that static indicators are no longer sufficient, and behavioral analysis is required to spot these evolving threats.
3 months ago
Kimsuky APT Quishing Attacks Targeting Microsoft 365 and Google Workspace
The FBI, CISA, and NSA have issued warnings about a surge in spear-phishing campaigns conducted by the North Korean state-sponsored threat group Kimsuky (APT43), which leverage malicious QR codes—known as quishing—to target high-value individuals in government, academia, think tanks, and foreign policy organizations. These attacks embed QR codes in phishing emails, which, when scanned, redirect victims to credential harvesting sites or initiate malware downloads, often bypassing traditional email security controls and exploiting the relative insecurity of mobile devices. Kimsuky’s campaigns are characterized by highly personalized lures, extensive reconnaissance, and a focus on intelligence gathering, with observed targeting of Microsoft 365 and Google Workspace accounts. Quishing attacks are effective because QR codes can evade standard email security measures such as URL inspection and sandboxing, and they obscure the true destination from the user. Once a victim scans the QR code, attackers can collect device and identity attributes, present mobile-optimized phishing pages impersonating legitimate portals (such as Microsoft 365 or Okta), and steal credentials or session tokens—sometimes bypassing multi-factor authentication. The campaigns have been observed globally and represent a significant evolution in Kimsuky’s social engineering and credential theft operations, prompting urgent mitigation guidance from U.S. federal agencies and security researchers.
2 months ago