Dangerous Phishing: How Phishing Sites Disguise Themselves as Legitimate

Everyone, young and old, has heard of phishing, yet users continue to fall for cybercriminals’ tricks. In this article, we’ll look at phishing links and, more specifically, the ways they are disguised using official websites of well-known companies and services.

Open redirects in “1C-Bitrix” are nothing new. Let’s instead examine how cybercriminals manage to use trusted domains like archive.org, evernote.com, bing.com, microsoft.com, adobe.com, and others to deceive unsuspecting users.

If you’re a cybersecurity specialist reading this, I recommend testing how users react to such links. Typically, users are taught to spot suspicious links in emails, but few check which site is actually asking for their credentials after clicking. For this reason, this article will also be useful for pentesters. It’s convenient: there’s no need to register a domain like 0utl00k.com if you can use a subdomain on the official outlook.com instead.

File Sharing Services

Let’s start with a phishing link targeting Outlook credentials, using a legitimate subdomain of indd.adobe.com:

https://indd.adobe.com/view/f894dec3-4cc0-4077-954c-d72b229dfc54

There’s another option as well. After clicking the button, you’re checked using Cloudflare, and only then are you taken to a classic phishing form.

Another scam message uses a legitimate service to send attachments as a link. The victim receives a link like:

https://docsend.com/view/z4zk3d6c8wsnyppt

When you follow it, an HTML file with malicious content is automatically downloaded.

Advertising Networks

Here’s a link created using Google’s advertising service. The full link is very long, but the idea is clear even from a shortened version:

https://googleads.g.doubleclick.net/dbm/clk?sa=L&ai=...

After clicking, you’re also checked for bots via Cloudflare, then redirected to a Microsoft phishing form.

Survey Services

In the next case, Microsoft itself helps “phish” an account from its own service. The user receives a link to the Dynamic 365 Customer Voice survey service:

https://ncv.microsoft.com/Xd4E8g0inD

After following the link, you land on the service’s page, which contains another link leading to a Cloudflare check, and then to a Microsoft-style phishing form. This attack first appeared in August 2022, but the method was still being exploited in December 2023.

Web Applications

In the article “The Art of Disguise: How Scammers Hide Their Sites Online,” we discussed which domains can host malicious resources, so subdomains on legitimate sites are no longer surprising. But I couldn’t pass up a phishing site imitating a Russian service:

https://glen-sulky-angora.glitch.me/

Here, the attacker used a web application service to host their malicious payload, targeting users of mail.ru.

Search Engines

Here’s how Bing is used to bypass initial firewall filters (unless you’ve blacklisted bing.com):

https://www.bing.com/ck/a?!&&p=eaab4245dac9a54dJmltdHM9MTcwMTk5MzYwMCZpZ3VpZD0xMmIyMDE0YS1lOTQyLTZhZjItMGI0YS0xMmFiZTg4ODZiOTUmaW5zaWQ9NTEzNQ&ptn=3&ver=2&hsh=3&fclid=12b2014a-e942-6af2-0b4a-12abe8886b95&u=a1aHR0cDovL2ZyZWVkb21zcGVha3NjYXJlLmNvbS9yZWdpc3RyYXRpb24v#[email protected]

Clicking the link takes you to a phishing resource.

AMP Pages

In the next example, Google’s AMP technology helps the attacker cache their page and then send the phishing link to unsuspecting users:

https://www.google.com/amp/s/pub-2cccc10251dd4525b4619dce6ade915b.r2.dev/owatelegram.html#aXJpcy5uZXVzc25lckB3aW5rbGVyc2NodWxiZWRhcmYuY29t

Through a redirect, the link leads to a phishing Outlook page.

Email Services

The link is too long to publish in full, but it’s clear that Outlook facilitates phishing by allowing such redirects:

https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fp.feedblitz.com%2Ft3.asp%3F%2F1081591%2F102442729%2F7821567_%2F~feeds.feedblitz.com%2F~%2Ft%2F0%2F0%2Fsethsblog%2Fposts%2F~%2F%2Fr20.rs6.net%2Ftn.jsp%3Ff%3D001vFHMoPyMo0WrLNfpX5KrbtnufSjk2FOwtHR22KMN3Rk2jm9egqQ...

For Office 365 users, suspicious links in emails are replaced with links like https://*.safelinks.protection.outlook.com/*: exactly what an attacker needs to send themselves a link! Outlook masks it as legitimate, and then it can be sent to the victim.

In the example, after several redirects, you land on a Microsoft login form with the email address [email protected] pre-filled. However, after that, you’re redirected to a form with the victim company’s logo. The attacker’s script checks if [email protected] belongs to Microsoft services and, if successful, loads the target company’s logo for added credibility. Hopefully, Robin didn’t fall for the phishing, and we move on.

Collaboration Services

Here’s a document recently shared by a “colleague-hacker” with unsuspecting users:

https://share.nuclino.com/p/Hangar-38-NQPTdHWF_sOk8OLF47mDEm

Opening the link in the document takes you to a familiar Microsoft-style phishing form.

Data Visualization Services

Here, the attacker used Google’s Looker Studio service:

https://lookerstudio.google.com/s/inARhcBTd642

The link again leads to a Microsoft-style login form, though this time the attacker didn’t bother to add a Cloudflare check.

Note-Taking Services

This is how Evernote helps create a link to any web resource—including phishing sites:

https://www.evernote.com/shard/s429/client/snv?isnewsnv=true&noteGuid=edcd788b-1388-90b4-3dbe-6a4c1d0839fc&noteKey=2C0bc4FotYyqz224bXZZxtFnmB8_uLv4JKgimuZDrpC4ldrauOW4KhjldQ&sn=https%3A%2F%2Fwww.evernote.com%2Fshard%2Fs429%2Fsh%2Fedcd788b-1388-90b4-3dbe-6a4c1d0839fc%2F2C0bc4FotYyqz224bXZZxtFnmB8_uLv4JKgimuZDrpC4ldrauOW4KhjldQ&title=Sylvie%2BDUPONT%2Ba%2Bpartag%25C3%25A9%2Bun%2Bdocument%2Bvia%2BOneDrive

You land on a legitimate intermediary page that contains a link to a phishing site.

Internet Archive

The next phishing example uses the popular Internet Archive service for malicious purposes:

https://ia601207.us.archive.org/17/items/Lnkdsof/Lnkdsof.shtml

In Conclusion

This isn’t an ad, but for educational purposes—thousands of other phishing examples (and more) can be found in the interactive malware search service https://any.run.

The free version is more than enough to find and download the latest version of an exotic ransomware or to study what training attacks security professionals are conducting as part of awareness programs, in addition to phishing sites.