Anonymous Tool Streamlining Global Phishing Attack

Lead Analysts: Jeewan Singh Jalal, Prabhakaran Ravichandhiran and Anand Bodke

KnowBe4 Threat Labs has uncovered an emerging advanced phishing campaign targeting Microsoft 365 users globally to steal their credentials. The attackers are wielding a powerful new tool that’s completely changing the game for cybercriminals—turning what used to be complex, technical phishing setups into simple one-click launches that can bypass certain technical controls.

Welcome to the era of “Quantum Route Redirect.” 

Our analysts first observed attacks using Quantum Route Redirect in early August in both KnowBe4 PhishER Plus  and KnowBe4 Defend. A new phishing kit for sale, Quantum Route Redirect comes with a pre-configured set up and phishing domains that significantly simplifies a once technically complex campaign flow, further “democratizing” phishing for less skilled cybercriminals. 

Phishing Attack Summary

Vector and type: Email phishing

Techniques: Impersonation, quishing, automated bot filtering via Quantum Route Redirect system, credential harvesting websites

Targets: Microsoft 365 users

From a target’s perspective, the campaigns start with a phishing email. You can see in the examples below that attackers are casting a wide net via diverse themes and tactics designed to maximize victim engagement. These include:

• Docusign and other service agreement impersonation
• Payroll impersonation
• Payment notification emails
• “Missed voicemail messages”
• QR code phishing (quishing) 

Docusign impersonation email sent in Quantum Route Redirect campaign, displayed in the KnowBe4 PhishER dashboard.

Phishing email impersonating target’s HR team sent in Quantum Route Redirect campaign, displayed in the KnowBe4 PhishER dashboard.

Payment notification email sent in Quantum Route Redirect campaign, displayed in the KnowBe4 PhishER dashboard.

Each variant ultimately funnels recipients toward the same goal: credential harvesting pages that are managed via Quantum Route Redirect.

Our researchers also observed that the domain URLs consistently follow the pattern “/([\w\d-]+\.){2}[\w]{,3}\/quantum.php/” and are typically hosted on parked or compromised domains. The choice to host on legitimate domains can help to socially engineer the human targets of these attacks. Brand impersonation is often a powerful tool in a hacker’s kit, as people are generally more trusting of established companies. 

Meet Quantum Route Redirect: The Phishing Platform That Changes Everything

Quantum Route Redirect is an advanced automation platform that streamlines the entire phishing campaign process, from traffic rerouting to victim tracking. Our security researchers have identified approximately 1,000 domains currently hosting this tool. 

Admin login page for Quantum Route Redirect instance.

Initial signs indicate that Quantum Route Redirect has longevity. Similar to legitimate services, phishing kit owners need to innovate to keep customers engaged—and renewing. Our threat analysts are aware of an upcoming upgrade for this kit that will include QR code generation capabilities to enable Quantum Route Redirect users to significantly scale quishing attacks linked to the campaign.

The tool’s sophistication lies in its simplicity. The kit comes with a preconfigured setup that removes the technical expertise needed to launch such a sophisticated phishing campaign—which in turn can increase the volume of advanced phishing attacks targeting organizations globally.

Cybercriminals need to get through the technical defenses that organizations have in place to reach their intended targets. For this campaign, Microsoft Exchange Online Protection (EOP) is the first hurdle, as it’s present in all of the target organizations. Some organizations might also continue to use a secure email gateway (SEG), creating another layer to bypass. Finally, organizations are increasingly deploying integrated cloud email security (ICES) products—which is often the most difficult layer to get through.

URL scanning is one detection mechanism that these technologies rely on. Some technologies analyze URLs at the point of delivery only, quarantining suspicious emails and routing seemingly safe ones to a user’s inbox. This led to post-delivery weaponization, with cybercriminals changing the end destination once the email had passed this initial analysis. As a result, some products (like KnowBe4 Defend) also perform time-of-click analysis, blocking a user from visiting a phishing website if the URL is weaponized after delivery. 

Quantum Route Redirect aims to level up phishing hyperlink payloads by automatically differentiating between and managing different types of “visitors.” When scanning a hyperlink, security tools are redirected to legitimate websites and therefore can be led to believe the original email is harmless, allowing the recipient to interact with it. People—the genuine victims—meanwhile are sent directly to phishing webpages. Essentially, the tool aims to automate the neutralization of certain email security defenses. Our Threat Lab analysts have also observed this redirect filtering deceive web application firewall products, enabling attacks to bypass multiple different layers of security.

The diagram below outlines the redirection system that uses intelligent routing to handle different types of visitors based on whether their characteristics define them as a bot or a human.

Quantum Route Redirect system flow.

An attack sent using Quantum Route Redirect follows this flow:

• Initial traffic: The hyperlink is activated by a security technology (bot) scanning it or a person clicking on it. This request is captured by Quantum Route Redirect and sent for processing. 

• Centralized decision making in Quantum Route Redirect: The core routing engine analyzes all incoming traffic, using behavioral analysis to intelligently differentiate between bots and humans. This engine acts as a traffic classifier and router.

• Routing outcome A—bot traffic: Bots are identified and redirected to a safe URL, preventing them from reaching the actual phishing website. This protects the phishing infrastructure from being discovered by security scanners and increases the chances that the email will be interacted with by a person (unless it’s detected as malicious through another mechanism). 

• Routing outcome B—human traffic: Visitors that are identified as human are directed to the actual phishing website, where cybercriminals attempt to steal their Microsoft 365 credentials 

The Quantum Route Redirect system also provides admin access for the cybercriminals running these campaigns, with two easy-to-use and sleek management interfaces:

• Configuration panel: Used to manage redirect rules, settings and routing logic

• Visitor stats: Monitoring dashboards used to view analytics, such as traffic data, to determine the success of the campaign 

Features That Make Cybercrime Effortless

Quantum Route Redirect includes several key capabilities that eliminate technical barriers to running a sophisticated phishing campaign:

• Bot detection and evasion: Automatically distinguishes between human and automated traffic 
• Intelligent traffic routing: Handles visitor sorting without manual intervention
• Simplified analytics dashboard: Delivers comprehensive victim data including location, device type, and browser information in an intuitive format 
• Real-time monitoring: Displays campaign performance and success metrics without requiring technical expertise

The platform automates browser fingerprinting and VPN/proxy detection, which enables it to determine when it’s a security tool checking a link versus when it’s a real user. The redirection process is easily managed through the simple admin interface. 

A dashboard also enables cybercriminals to keep track of the total number of impressions for potential victims (humans) and security tools (bots) to measure their campaigns’ effectiveness (see below). 

Quantum Route Redirect system dashboard.

Global Impact by the Numbers

This campaign has successfully compromised victims across 90 countries, demonstrating remarkable international reach. The US has borne the brunt of the attacks so far, accounting for 76% of affected users, while the remaining 24% are distributed worldwide—making the scope of this threat truly global.

Distribution of Quantum Route Redirect Attack Targets

Map of Quantum Route Redirect Attack Targets

Building Defenses Against the New Reality

Unfortunately, we believe the technology behind Quantum Route Redirect is here to stay and will likely increase in use as cybercriminals look to evade URL scanning technologies. 

However, it’s not all doom and gloom—organizations can implement robust defenses against phishing campaigns sent using systems like Quantum Route Redirect. 

Technical Controls
Cybersecurity teams are locked in a constant cat-and-mouse battle with cybercriminals and consequently need to partner with best-of-breed cybersecurity companies that provide sophisticated technical controls that adapt as attacks evolve. 

When detecting attacks within Quantum Route Redirect campaigns, a primary difference between integrated cloud email security products (like KnowBe4 Defend) and traditional email security (such as SEGs) is their use of natural language processing (NLP) and natural language understanding to analyze the content of an email message. This capability sits alongside factors such as URL (and other payload) analysis, domain analysis, impersonation detection and polymorphic detection—and when all mechanisms are combined together, this provides a far greater scope to accurately assess whether an email is a phishing attack or not. 

Additionally, organizations need to ensure both their email security and web application firewall products are capable of providing robust URL filtering to avoid being deceived by these technical attacks. 

Missed voicemail message phishing email sent in Quantum Route Redirect campaign, with KnowBe4 Defend anti-phishing banners applied and displayed in the KnowBe4 PhishER dashboard.

Organizations should also invest in sandboxing technologies so they—or their managed security service provider (MSSP)—can inspect emails to understand the types of attack targeting their organization, as well as tools that provide continuous monitoring for account compromise should an employee’s credentials get harvested.

Leverage Human Risk Management (HRM) to Increase User Awareness
Cybersecurity teams have to be lightning fast: as soon as new threats emerge, they must increase awareness across the organization. Human Risk Management (HRM) helps them to do just that. A HRM platform combines deep behavioral analytics, product telemetry and threat intelligence to generate highly accurate risk scores for each individual user. From here, the platform can then automate technical controls and hyper-personalized training to intervene and coach users when they need it most—at the point of risk. 

Email threat intelligence can also be used to inform company-wide education. As types of attack—such as quishing—peak, cybersecurity teams can ensure their colleagues are receiving the most relevant awareness training possible. 

Real phishing attacks—like those sent in Quantum Route Redirect—can be flipped into phishing simulations, providing highly accurate training on (“de-fanged”) real-world threats, so users are better prepared for actual attacks. 

Finally, all of this can be fed back into organizational policies, which can then inform wider HRM and awareness initiatives. 

Policy and Procedure Preparedness
Every organization should have a rapid response procedure for credential compromise. Once an alert is triggered in account compromise and Microsoft 365 activity monitoring tools, cybersecurity teams need to put a ready-made plan into action. This includes being able to isolate the compromised user and block any further access to systems and data, and perform digital forensics to fully understand the extent of the compromise. 

Understanding the need to involve regulatory bodies and law enforcement is also crucial to both help tackle cybercrime more broadly and ensure compliance with any necessary regulations. 

Getting Ahead of Quantum Route Redirect

Quantum Route Redirect represents a concerning evolution in cybercrime accessibility. By removing technical barriers, it’s enabling a new generation of threat actors to launch sophisticated campaigns with minimal expertise. 

However, while attacks are scaling globally, it’s still possible for organizations to stay one step ahead. For cybersecurity professionals, this isn’t just helpful—it’s essential for preparing effective defenses against a more “democratized” phishing landscape ahead.

Reviewing the organization’s current tech stack and making any necessary adjustments now will help cybersecurity teams to stay ahead of attacks that leverage this technology, as well as whatever the next wave of emerging attacks will also hold.