top of page

Phishing Campaign Takes Advantage of YouTube Attribution Links and Cloudflare Captcha

Security researchers at Vade have detected a new phishing campaign that exploits legitimate YouTube attribution links and a Cloudflare CAPTCHA to avoid detection. The phishing scam spoofs an email from Microsoft and sends an alert to the user that their Microsoft 365 password has expired. The email appears to come from a legitimate Microsoft domain, but it uses display name spoofing to create the illusion of authenticity. The email contains personalization and contextualization to give it a more realistic appearance. The email contains a button that redirects to a YouTube URL with the phrase "attribution_link." The URL leads to a phishing webpage that auto-populates the user's email address and prompts the user to enter their password. The domain of the phishing page does not resemble a legitimate Microsoft URL, but the personalization of the email draws attention away from the obvious signs of phishing.


The use of YouTube attribution links is a new tactic that could bypass email filters that scan for suspicious redirects. Hackers can trick the user because the latter knows and considers this website as legitimate. The use of intermediary pages is increasingly popular among hackers because it can prevent the analysis of phishing pages by email filters. In this scheme, the Cloudflare CAPTCHA page intercepts email filters and prevents them from scanning the spoofed Microsoft webpage. If the technique succeeds, the email filters will verify the email as safe because the intermediary page doesn’t contain any fields for phishing.


According to Vade's analysis, there were more than 1,000 emails in the last 30 days regarding this specific campaign. The threat domain ending with ".ru" was registered four days before the delivery of the threat, but it respects protocol checks used in SMTP transactions (SPF, DKIM, ARC...). While Vade detected this phishing attack from the first email, zero security vendors regard the URL as malicious on VirusTotal.


This attack is similar to broader themes and trends in phishing. Vade researchers have uncovered similarities to an increase in phishing attacks that spoof productivity suites like Microsoft and Google. Last year, Vade experts predicted that hackers would increasingly use legitimate services to help facilitate phishing attacks.


Phishing attacks like this one will likely increase in volume and sophistication. To stay protected, businesses should encourage and educate their team to adopt good cyber hygiene practices. Always verify the sender of an email and use a separate browser for accessing accounts or updating passwords. If the business uses Microsoft 365, consider an integrated email security solution to filter advanced phishing threats and augment the protection of Microsoft's native protection. And invest in phishing awareness training to ensure users are proficient at spotting and handling email-borne threats.

bottom of page