chat
expand_more

When SEGs Fail: How Attackers Exploit Open Redirects to Bypass Legacy Email Security

Explore the risks of open redirects and how they enable attackers to circumvent email security.

Gabriel Rebane

February 14, 2025

Placeholder

Open redirects have become a favorite tool for attackers looking to bypass email security measures. By exploiting weakly constructed scripts hosted on trusted websites, attackers redirect recipients from initially safe websites to malicious ones.

This strategy leverages the reputation of trusted domains to:

  • Evade being flagged as malicious by email security tools.

  • Bypass compensating URL rewriting and sandboxing controls.

  • Lower suspicion among end-users, increasing the likelihood of a successful attack.

Here, we’ll explore how attackers abuse open redirects, review a real-world example, and explain why traditional email security fails to protect against these threats.

What Are Open Redirects and Why Are They Dangerous?

Open redirects occur when a trusted website contains a script or URL parameter that attackers manipulate to redirect users to their destinations. Instead of reaching the trusted site, users are often forwarded to a malicious one without realizing it.

How Open Redirects Work

Consider the following URL from a real attack Abnormal Security observed:

Open Redirect4

At first glance, the URL appears legitimate because it starts with a trusted domain. Upon further inspection, however, Abnormal detected:

  1. Open Redirect Abuse: The click.php script allows the attacker to redirect users to another site.

  2. Intermediate Step: Users are sent to a CAPTCHA page (captcha.com) to build trust.

  3. Final Redirect: Completing the CAPTCHA sends users to a spoofed Microsoft login page, designed to steal credentials.

How This Attack Unfolded

In this real-world example, attackers combined open redirects with multiple tactics to create a sophisticated phishing campaign:

1. Email From a Compromised Vendor Account:

  • The email originated from a trusted account that passed all authentication checks (SPF, DKIM, DMARC).

  • It impersonated DocuSign branding to establish trust.

Open Redirect1

2. Malicious URL with Open Redirect:

  • The email contained an open redirect hosted on a trusted website.

  • This redirected users to a second site hosting a CAPTCHA.

Open Redirect2

3. CAPTCHA Page:

  • CAPTCHAs add legitimacy, tricking users into believing the interaction is secure.

  • CAPTCHAs can prevent automated systems from progressing past the page. This causes sandbox tools to be unable to analyze the full redirect chain or reach the final malicious destination.

4. Final Redirect to Phishing Page:

  • Completing the CAPTCHA sent users to a spoofed Microsoft login page, designed to harvest credentials.

Open Redirect3

Why This Attack Was Effective

This attack succeeded by exploiting trusted domains and using advanced tactics to evade detection:

  • Legitimate Accounts and Authentication:
    • The email passed authentication protocols (SPF, DKIM, DMARC) and appeared to come from a known vendor.

  • Open Redirects on Trusted Sites:
    • These exploited the reputation of legitimate domains to bypass URL rewriting and sandboxing solutions.

  • CAPTCHA Hosting:
    • CAPTCHAs added credibility and blocked automated detection tools.

  • Phishing Toolkit Efficiency:
    • Attackers rapidly deployed the spoofed Microsoft login page using readily available phishing kits.

Why Traditional Email Security Fails

Legacy email security solutions struggle to detect attacks leveraging open redirects due to:

  • Static Defenses:
    • Traditional solutions rely on predefined rules and domain reputation checks, which fail against dynamic multi-step redirects.

  • Limited Visibility into Redirect Chains:
    • URL rewriting tools analyze only the initial or intermediate links, missing the malicious final destination.

  • Overreliance on Trust:
    • Emails from authenticated or trusted domains often bypass traditional defenses.

  • Bot Evasion Techniques:
    • CAPTCHAs often block automated analysis, creating blind spots in traditional sandboxing tools.

By failing to adapt to evolving threats, these solutions leave organizations vulnerable to sophisticated phishing campaigns.

How Abnormal Stops These Attacks

Abnormal Security’s AI-powered platform is uniquely designed to detect and prevent attacks like these:

  • Detection of Redirect Chains:
    • Abnormal dynamically analyzes multi-step redirects, flagging suspicious chains even when they originate from trusted domains.

  • Behavioral and Contextual Analysis:
    • By analyzing thousands of identity signals, Abnormal identifies anomalies like unusual sender behavior or requests inconsistent with user roles.

  • End-to-End Attack Visibility:
    • Abnormal provides full visibility into the attack chain, from the initial email to the final phishing page, empowering security teams with actionable insights.

With Abnormal, you gain real-time protection that adapts to evolving attacker tactics, eliminating blind spots and reducing operational overhead.

Evolving Threats Demand Smarter Defenses

As attackers continue to refine their methods, traditional email security solutions fall short in detecting advanced threats like open redirects. Relying on static defenses and trust-based assumptions creates significant risks for organizations.

Abnormal Security’s AI-native platform offers the advanced protection you need, analyzing intent and behavior to stop threats before they reach your users.

Interested in learning more about how Abnormal can protect your organization? Schedule a demo today!

Schedule a Demo

Related Posts

Blog Thumbnail
Beyond the SEG: A Roadmap to AI-Native, Cloud Email Security

October 22, 2025

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Discover How It All Works

See How Abnormal AI Protects Humans