In the fast-paced world of social media, new threats are emerging every day, and not all of them come from where you’d expect. The Cofense Phishing Defense Center (PDC) intelligence team recently observed a phishing campaign that cleverly uses TikTok URLs to redirect users to malicious sites. The phishing emails attempt to harvest Microsoft Office 365 credentials by sending a deceptive notice that falsely claims that all the user’s messages will be deleted. The surprising element here is the use of TikTok to redirect victims into a credential-stealing trap.
This tactic isn't entirely new, as we've seen phishing attempts leveraging popular social media platforms, such as YouTube or Facebook, before to spread malicious links. However, the use of TikTok in this case stands out. Usually, these types of URLs appear in the bios of TikTok profiles that have links to external websites. The TikTok URL will redirect to whatever site the profile holder chooses. By using TikTok URLs, attackers bypass some user suspicion and capitalize on the trust many have in the platform. This method of exploiting a legitimate site to redirect to a malicious one highlights the evolving nature of phishing campaigns and the need for continuous vigilance online.
In this case, the threat actor poses the email as if it is an Office 365 alert from the user’s company IT department urging the user to follow a URL to cancel a request to delete emails in their inbox—a common tactic used to incite fear and scare the user if action is not taken. The threat actor also attempts to make the email appear as if it is coming from the user’s IT department, but the sender’s email address is from an unrelated domain. The color of the button that the user is prompted to follow stands out from the rest of the email, but otherwise, the button is suspiciously plain. It also contains the link that utilizes TikTok as its initial domain for the redirect.