Hackers are using TikTok in new phishing attacks as they try to steal people’s Microsoft Office 365 credentials, a new report from Cofense warns.
The company’s researchers have discovered that someone is sending phishing emails threatening victims that all their emails will be deleted unless they press a button. What is new about this campaign is that the button actually leads to TikTok.
To make the attack work, the attackers use TikTok URLs. A TikTok URL usually appears in the bios of a profile that contains links to external websites, the researchers explained — so therefore the TikTok URL can redirect the visitor to whatever site the profile holder chooses.
Discovering the scam
If the recipient of the phishing email doesn’t see through the trick and clicks the button in the message, they will be sent through a series of redirects, eventually landing on a web page that resembles a Microsoft 365 login site, with the company logo and all. The malicious site even automatically fills in the user’s email address to improve legitimacy.
However, since this is a fake website operated by the attackers, any information (including passwords) submitted there goes straight to the hackers.
The use of TikTok URLs may be new, but the overall methodology isn’t much different from what we’re used to seeing. The email still comes from a completely unrelated domain. It is still full of grammar and spelling errors. Finally, the landing page URL isn’t even close to a Microsoft domain.
Therefore, it should not be too difficult to notice the attack; you just need to be somewhat aware of the emails that come in and not trust everything in the inbox.