Beware this new phishing attack that's after your passwords!

That email link might not send you where you expect.

Credit: Markus Spiske / Pixabay

A classic bit of internet security advice just bit the dust. For ages, email users were told to hover their mouse over a link to see where it led—if you saw the URL of a legitimate website, you were in the clear. But on Tuesday, Microsoft shared details on a new kind of phishing attack: Email with links that contain a known website at the start, but actually redirect to a malicious page.

This ploy relies on a type of link often used by sales and marketing teams to track information about who clicks on a URL in a newsletter or on social media. Known as open redirect links, the structure of the link begins with a primary domain, then includes a string of analytics data and a final destination site.

But as Microsoft describes in a post on its security blog, this phishing strategy uses open redirect links to exploit an average end user’s security training. Because open redirects can start with any primary domain and end with any final destination, these phishing links can start with a legitimate site and then go to a malicious page.

Adding further complexity to this scheme is the use of captchas to lend an air of authenticity. Users who believe they’re on a genuine site will then enter login credentials in the belief they’re accessing a notification, report, or even Zoom meeting, only to encounter a fake error page claiming a session time-out or incorrect password—prompting a second entry of login credentials. After the phishing attempt has successfully captured the user ID and password twice, users get redirected to another genuine website.

You can see specific examples of this attack and a sample list of malicious destination URLs in Microsoft’s blog post, but you don’t need to dig that deep in order to protect yourself. Instead, start using a password manager. It won’t automatically supply your login credentials on a spoofed site. You can also look over the whole URL when mousing over, but it’s not nearly as fool-proof a method as a password manager.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Alaina Yee

PC World (US online)
Show Comments

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?