Phishing is evolving rapidly, and organisations are struggling to keep pace. In August, KnowBe4 Threat Labs uncovered a global campaign targeting Microsoft 365 users, powered by a tool called Quantum Route Redirect. Unlike older phishing methods, which required technical expertise to manage servers, redirects, and evade security controls, this platform automates the entire process. Even attackers with little technical skill can now launch sophisticated campaigns that reach a wide audience.
For organisations using Microsoft 365, understanding how this tool works and preparing effective defences is essential to protect accounts and sensitive information.
How the Attack Works
The campaign begins with a phishing email crafted to look completely legitimate. Attackers imitate trusted services or internal departments to create a sense of familiarity and urgency. Common themes include:
- Document Requests
Emails that appear to come from Docusign or similar platforms, urging the user to open and sign an important document. - Financial Notifications
Messages posing as payroll updates or payment alerts, designed to make the recipient act without hesitation. - Simple Alerts and Quishing
Basic “missed voicemail” messages and, more recently, phishing attempts delivered through QR codes. This quishing technique often bypasses traditional URL filtering and leads users to malicious sites.
Once the user interacts with any of these emails, they are taken to a landing page controlled by the Quantum Route Redirect platform. This is where the real sophistication lies. The platform can instantly determine whether the visitor is a human or an automated security scanner.
If a bot visits, it is redirected to a safe, harmless page, making the campaign appear legitimate to security tools.
If a human visits, they are sent to a phishing page that closely resembles the Microsoft 365 login screen. When users enter their details, the credentials are captured immediately.
This selective routing keeps the attackers’ infrastructure hidden while increasing the success rate of the phishing campaign.
Why This Is a Serious Threat
Quantum Route Redirect represents a significant shift in how phishing attacks are carried out. Traditionally, launching a phishing campaign of this sophistication required considerable technical knowledge. Attackers had to configure servers, set up domains, manage redirects, track visitor activity, and find ways to bypass security tools like email filters and firewalls. Each of these steps demanded time, expertise, and resources, limiting the scale and frequency of attacks.
The platform also provides real-time analytics, giving attackers immediate insight into campaign performance. They can see how many users clicked on a link, the types of devices being used, their browser details, and even the geographic location of the victims. All of this information is available through a simple dashboard that does not require technical expertise to operate.
The reach of Quantum Route Redirect is significant. Users in over 90 countries have been affected. About 76% of victims are in the United States, while the rest are spread across Europe, Asia, and the Middle East. This shows how quickly automated phishing platforms can spread and target users globally.
How Organisations Can Protect Themselves
Defending against Quantum Route Redirect requires multiple layers of protection, combining technology, user awareness, and clear response processes.
Advanced email security tools that can analyse URLs, check domains, and even look at the content of emails are essential to catch phishing attempts. Web application firewalls and URL filters can stop users from reaching malicious pages. Sandboxing technologies allow emails and attachments to be tested in a safe environment before they reach employees.
Human awareness is equally important. Monitoring employee behaviour can help identify high-risk users and provide them with targeted training. Real phishing attacks can be used as safe simulations to teach employees how to spot suspicious emails. Regular awareness campaigns will keep users alert to new phishing methods, including quishing.
Rapid response plans are also crucial. If an account is compromised, it should be isolated immediately, access blocked, and a forensic investigation carried out to determine the extent of the breach. In serious cases, involving law enforcement and regulatory authorities may be necessary.
