Wordpress Redirect Outlook Phishing Attack

August 20, 2021

Our partners at Astra Security have discovered yet another vicious attack on Wordpress websites. If you own a Wordpress website and you aren't using Astra Malware security protection, it's time to do so!

Let's take a look at their report:

Although it is one of the most common attacks on WordPress, WordPress redirection hacks never cease to surprise. In a new strain of the hack identified by our security engineers, the malware redirects WordPress website to phishing pages of renowned companies such as Microsoft’s outlook, security, and antivirus companies as well as known malicious domains such as

  • travelinskydream[.]ga
  • track.lowerskyactive[.]ga
  • hxxps://pipe.travelfornamewalking.ga
  • hxxps://greenlinetask.me/w_15.js

and several other domains that we previously saw in the Buyittraffic WP redirection hack and Digestcolect redirection hack. We have seen a large number of WP sites increasingly getting targeted with this attack.

What does the actual redirect attack look like?

When you click on the infected website’s URL, it takes you to the legitimate Microsoft Outlook login page with hostname https://login.microsoftonline.com/ (see picture below).

Microsoft Outlook Phishing Attack

When unsuspecting users authenticate on this form, they are then presented with a permission requesting Add-in – inserted/modified by the hacker – to gain apex-level access to their outlook account.

Microsoft Outlook Malicious Phishing Attack

The hacker also presents other fake pop-ups emulating security and antivirus software prompting to scan their device for malware as depicted below:

Applecare Phishing Attack

Clicking on the Scan Now button can reveal your sensitive details to the hacker or give him complete access to your device.

Browser Notifications Phishing Attack

The Technical Breakdown

The hack, like most WordPress redirection hacks, involves an injected malicious JS script.

The following script is just an example of the JS script we found on the database of the infected website.

As you can see, the script adds a redirection URL to hacker known domain ‘track.lowerthenskyactive.ga’.

Hacked Wordpress Admin

On close investigation, our security team also found the following script injected into almost all .php files inside wp-content (plugins/themes) directory of the infected WordPress website.

Besides, all the .js files were also heavily infected with the following obfuscated code.

which decodes to –

Have you been hacked?

  • If your website is also redirecting to any of the mentioned phishing pages, you have been hacked with the office-365 malware.
  • If you can’t log into your WP backend, that’s another sign of the hack.
  • If you see unfamiliar and suspicious-looking usernames in your WP admin panel, it is probably the hackers’.

These are some other common hack symptoms that you should look out for here. We have compiled the most common hacked symptoms seen on WP websites here.

Or you can just scan your website with a malware scanner to confirm the hack. Here’s how Astra’s machine-learning powered Malware Scanner flags malware on websites:

Astra Malware Scanner

How to repair your website

The best solution, if you are confused about how to deal with this hack, is to hire a professional security team. Astra Security has helped thousands of websites get out of a hack safely. We take care of the matter end to end and in record time (<6 hours of your sign-up).

If for any reason you can not hire a security team, start with taking a backup and changing all the passwords (WP admin panel, database, etc.) if you still have access to your website.

Next, download the checksums of the core WP files and compare your current files with that. If it doesn’t make you lose a lot of work, replace the files altogether. Otherwise, check for unfamiliar changes and undo them. However, be very careful doing this as you may also delete a benign piece of script mistakenly.

Next, check the database tables for any rogue insertions.

What to do after you've restored your site

After your website has been restored, ensure it becomes as hack-resistant as is possible.

This is how you can do this:

  • Check your website runs on the latest versions of WordPress and other complementary software and extensions.
  • Set up a regular backup routine. You can use a WP plugin to make this easier.
  • Set up a website firewall. A firewall monitors your website round the clock and blocks known malicious traffic from reaching your website.
  • Set up timely malware scanning to detect malware/intrusions before it’s too late. A daily malware scanning is ideal and recommended.