Photo by Glenn Carstens-Peters / Unsplash

At the new job I am working on sorting through all the emails that were reported as a phish and the system isn't really sure if it is a legit phish or someone that just clicked on the button. To help pass the time I have started to work on the email to see where it goes versus just clicking the Windows way, next until I am done.

Today we got an email that just had a "google" link in it.

I did the good old right click and copy the link that the fake one is pointing to and I get this as a result. hxxps[://]nam02[.]safelinks[.]protection[.]outlook[.]com/?url=hxxps%3A%2F%2Fbit[.]ly%2F3usmRJO&data=05%7C01%7CREDACTED%40email[.]com%7C683da1b421dd4289426008da610d06b2%7Cc7e7a09730aa485ea37b537c20f88623%7C0%7C0%7C637929006439854522%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=mJrAGo7atvVdWG5BubctFRhD9Jlr3XGwkz3WSmDURZs%3D&reserved=0

At that point I did a little more url decoding to get this: hxxps[://]nam02[.]safelinks[.]protection[.]outlook[.]com/?url=hxxps://bit[.]ly/3usmRJO&data=05|01|REDACTED@email[.]com|683da1b421dd4289426008da610d06b2|c7e7a09730aa485ea37b537c20f88623|0|0|637929006439854522|Unknown|TWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=|2000|||&sdata=mJrAGo7atvVdWG5BubctFRhD9Jlr3XGwkz3WSmDURZs=&reserved=0

Looking at the link I can see that it's trying to go to a bit.ly url shortened site. I then went to trusty Google to get a tool that can tell me where this link is pointing to and I get this: hxxps[://]m[.]addthis[.]com/live/redirect/?url=hxxps[://]contentnetnews[.]world/g/e1cnd1p1s7m2v/sxy/h/dna/?statoliths=u&uid=5a565eff6ca0606b&pub=ra-4f753e3563379203&rev=v8[.]3[.]10-wp&per=undefined&pco=smlrebh-1[.]0&wilderments=tgku&humanized=u

With that information Virus Total's lookup of this domain, hxxps[://]m[.]addthis[.]com reported back as clean. But looking further at the url I can see that there is a redirect to another site. I then take that url to Virus Total and I can see that there are vendors that flag this site.

With that I am a little curious and the next thing I want to do is go to Any.Run and enter that url to see what will happen. Nothing happened this time but it gives a little experience in using some tools to decode and then follow where this is trying to send the end user.

As always if you have questions or need to ask questions please email me at feedback@markschindel.com and have a great day/night.