Threat Research

TikTok Links Exploited to Compromise Microsoft Accounts

Securonix

The Cofense Phishing Defense Center identified a campaign that uses TikTok URLs to redirect victims to credential-stealing sites targeting Microsoft Office 365. It impersonates IT alerts and exploits trust in social media to bypass suspicion and trigger fear of data loss. #TikTok #Office365

Keypoints

  • The phishing campaign uses TikTok URLs to redirect users to credential-stealing sites.
  • Emails impersonate IT department alerts, claiming urgent action is needed to prevent email deletion.
  • Attackers exploit user trust in TikTok to bypass suspicion.
  • The phishing page mimics a legitimate Microsoft login page, increasing deception.
  • Indicators of compromise include specific IP addresses and URLs related to the campaign.

MITRE Techniques

  • [T1566] Phishing – “Deceptive emails impersonating IT departments to harvest credentials.” [‘Use of deceptive emails impersonating IT departments to harvest credentials.’]
  • [T1003] Credential Dumping – “Redirecting users to a phishing page that resembles a legitimate login site to capture Microsoft Office 365 credentials.” [‘Redirecting users to a phishing page that resembles a legitimate login site to capture Microsoft Office 365 credentials.’]

Indicators of Compromise

  • [IP] 184.25.127.68 – Associated with the TikTok redirect chain shown in the indicators table.
  • [IP] 191.252.144.224 – Linked to the phishing redirect URL in the indicators.
  • [IP] 147.182.205.62 – Connected to the faisalassociates domain hosting the phishing page.
  • [URL] hXXps://www.tiktok[.]com/link/v2?aid=1988&lang=en&scene=bio_url&target=google.com[.]////amp/s/reidopurificador[.]com[.]br//////xone/zbxrz – TikTok redirect URL used to begin the chain.
  • [URL] hXXp://reidopurificador[.]com[.]br//////xone/zbxrz/ – Redirect domain URL used in the campaign.
  • [URL] hXXps://dffkkffjkd.faisalassociates[.]com[.]pk – Phishing hosting domain for the credential page.
  • [Domain] reidopurificador.com.br – Domain used in the phishing infrastructure.
  • [Domain] faisalassociates.com.pk – Domain used in the phishing infrastructure.

Read more: https://cofense.com/blog/exploiting-social-media-tiktok-links-used-to-hijack-microsoft-accounts

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint