In a Microsoft Outlook email quarantine scam, threat actors who are likely to be of Russian-origin are deploying sophisticated redirect chains to bypass security filters. MailGuard's threat intelligence team has identified the active and sophisticated phishing campaign that exploits multiple legitimate services to harvest the target's email credentials. The attack demonstrates the evolving complexity of modern email threats, combining social engineering with technical obfuscation techniques that are designed to evade traditional email security solutions.
The campaign begins with emails bearing the subject line "Action Required: Review Your Quarantined Messages" and appears to originate from the recipient's email security service. The fraudulent messages claim to be "Outlook Quarantine Notifications," exploiting users' familiarity with Microsoft's email platform to establish false legitimacy.
However, the sender address reveals the first red flag: admin(at)megatroncrypts(dot)co. The use of an administrative email address for customer communications is highly irregular and suggests the entire domain may be compromised by threat actors.
What sets this campaign apart is its technical complexity. Rather than directing victims to an obviously malicious domain, the attackers have constructed a sophisticated redirect chain that abuses multiple legitimate services:
The initial link routes through Google's official translation service (translate(dot)google(dot)com), with a critical indicator revealing the attack's origins, the parameter 'sl=ru' suggesting Russian-speaking threat actors are behind this campaign.
The full redirect structure shows the attackers' methodology:
https://translate(dot)google(dot)com/translate?hl=en&sl=ru&u=https://logihost.sa.com/[redacted]
The Google Translate link then forwards victims to an intermediate redirector service, adding another layer of obfuscation to complicate threat detection and attribution.
The final destination exploits the Internet Archive's Web Archive service, which has been archiving websites for over 25 years. By hosting the malicious content on this trusted platform, attackers attempt to leverage the service's reputation to bypass security filters.
Once victims navigate through the redirect chain, they encounter a convincing replica of the Microsoft Outlook login page. The fake interface closely mimics the legitimate Outlook Web App, complete with authentic-looking branding and layout designed to capture usernames and passwords.
The phishing page's URL reveals its true nature: web(dot)archive(dot)org/web/[timestamp]/cloud(dot)equinoxe-com(dot)com/[path], indicating the abuse of the Web Archive service to host the credential theft interface.
This campaign represents several concerning trends in modern phishing:
Service Legitimacy Exploitation: By routing through Google Translate and Web Archive, attackers leverage the trust and reputation of established platforms, making detection significantly more challenging.
Administrative Email Compromise: The use of admin(at)megatroncrypts(dot)co suggests broader domain compromise, potentially indicating a larger breach that could affect multiple organizations.
Multi-Layer Obfuscation: The triple-redirect chain is designed specifically to evade automated security scanning, as many solutions struggle to follow complex redirect sequences in real-time.
Brand Impersonation Precision: The campaign targets users' trust in both their email security provider and Microsoft's Outlook platform, exploiting the intersection of security and productivity tools.
MailGuard's advanced threat detection systems have successfully identified and blocked this campaign across our global network. Our threat intelligence team has reported the service abuse to both Google and the Internet Archive administrators, contributing to broader industry defense efforts.
The attack demonstrates why traditional email filters often fail against sophisticated threats. While the attackers employ multiple layers of legitimate service abuse, MailGuard's AI-powered detection engines analyze the complete attack chain, identifying malicious intent despite the obfuscation techniques.
Security teams should be aware of the following technical indicators:
For IT Administrators:
For End Users:
MailGuard advises all recipients of these emails to delete them immediately without clicking on any links. Responding or providing personal details can lead to identity theft, data breaches, and financial losses.
Avoid emails that:
Many businesses turn to MailGuard after a near miss or incident. Don't wait until it's too late. Reach out to our team for a confidential discussion by emailing expert@mailguard.com.au or calling 1300 30 44 30.
All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.
For a few dollars per staff member per month, you can protect your business with MailGuard's specialist, 'zero zero-day' email security. Special Ops for when speed matters! Our real-time 'zero zero-day', email threat detection amplifies our client’s intelligence, knowledge, security and defence. Talk to a solution consultant at MailGuard today about securing your company's inboxes.
Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.