How often are redirects used in phishing in 2026?, (Mon, Apr 6th)
In one of his recent diaries, Johannes discussed how open redirects are actively being sought out by threat actors[1], which made me wonder about how commonly these mechanisms are actually misused…
AI Analysis
Technical Summary
Open redirect vulnerabilities allow attackers to craft URLs that appear to lead to legitimate domains but redirect victims to malicious sites. Although not ranked highly in recent OWASP Top 10 lists, open redirects continue to be exploited in phishing campaigns. Analysis of phishing emails collected in early 2026 revealed that over 21% of phishing messages used redirect-based links, including fully open redirects, token-based 'half-open' redirects, and URL shorteners. These redirectors can be part of tracking, advertising, or logout mechanisms and are abused to bypass email scanners and deceive users. Tokens used in some redirect mechanisms, such as those on Google or Bing, are often reusable and long-lived, facilitating repeated abuse. The persistence and variety of redirect abuses highlight the need for organizations to audit and restrict redirect endpoints to reduce phishing risks.
Potential Impact
The misuse of open redirect mechanisms in phishing campaigns increases the likelihood that phishing links will appear legitimate to recipients and evade detection by email security tools. This can lead to higher success rates for phishing attacks, potentially resulting in credential theft, unauthorized access, or other malicious outcomes. Although open redirects themselves are not high-impact vulnerabilities, their exploitation in phishing campaigns poses a medium-level threat by facilitating social engineering attacks.
Mitigation Recommendations
Organizations should audit their applications to identify and eliminate open redirect endpoints where possible. If redirection functionality is necessary, it should be strictly controlled, monitored for abuse, and restricted to trusted destinations. Since no specific patch or vendor advisory is applicable, remediation involves secure coding practices and operational monitoring. There is no indication that this threat is mitigated by vendor fixes or cloud service provider actions. Patch status is not applicable. Defensive measures should focus on reducing exposure to redirect abuse and improving detection of phishing attempts leveraging redirects.
How often are redirects used in phishing in 2026?, (Mon, Apr 6th)
Description
In one of his recent diaries, Johannes discussed how open redirects are actively being sought out by threat actors[1], which made me wonder about how commonly these mechanisms are actually misused…
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Open redirect vulnerabilities allow attackers to craft URLs that appear to lead to legitimate domains but redirect victims to malicious sites. Although not ranked highly in recent OWASP Top 10 lists, open redirects continue to be exploited in phishing campaigns. Analysis of phishing emails collected in early 2026 revealed that over 21% of phishing messages used redirect-based links, including fully open redirects, token-based 'half-open' redirects, and URL shorteners. These redirectors can be part of tracking, advertising, or logout mechanisms and are abused to bypass email scanners and deceive users. Tokens used in some redirect mechanisms, such as those on Google or Bing, are often reusable and long-lived, facilitating repeated abuse. The persistence and variety of redirect abuses highlight the need for organizations to audit and restrict redirect endpoints to reduce phishing risks.
Potential Impact
The misuse of open redirect mechanisms in phishing campaigns increases the likelihood that phishing links will appear legitimate to recipients and evade detection by email security tools. This can lead to higher success rates for phishing attacks, potentially resulting in credential theft, unauthorized access, or other malicious outcomes. Although open redirects themselves are not high-impact vulnerabilities, their exploitation in phishing campaigns poses a medium-level threat by facilitating social engineering attacks.
Mitigation Recommendations
Organizations should audit their applications to identify and eliminate open redirect endpoints where possible. If redirection functionality is necessary, it should be strictly controlled, monitored for abuse, and restricted to trusted destinations. Since no specific patch or vendor advisory is applicable, remediation involves secure coding practices and operational monitoring. There is no indication that this threat is mitigated by vendor fixes or cloud service provider actions. Patch status is not applicable. Defensive measures should focus on reducing exposure to redirect abuse and improving detection of phishing attempts leveraging redirects.
Technical Details
- Article Source
- {"url":"https://isc.sans.edu/diary/rss/32870","fetched":true,"fetchedAt":"2026-04-06T09:00:36.379Z","wordCount":777}
Threat ID: 69d376340a160ebd9294c463
Added to database: 4/6/2026, 9:00:36 AM
Last enriched: 4/6/2026, 9:00:46 AM
Last updated: 4/7/2026, 1:00:01 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.