Full Report
A new phishing automation platform named Quantum Route Redirect is using around 1,000 domains to steal Microsoft 365 users' credentials. [...]
Analysis Summary
# Tool/Technique: Quantum Route Redirect (QRR) Phishing Automation Platform
## Overview
Quantum Route Redirect (QRR) is a commercially available or distributed phishing-as-a-service (Phishing-as-a-Service, PhaaS) platform designed to automate the credential theft process targeting Microsoft 365 users globally. It provides a pre-configured infrastructure, including potentially thousands of domains, to lower the barrier to entry for less skilled threat actors.
## Technical Details
- Type: Attack Tool / Framework (Phishing Kit)
- Platform: Web-based, targeting Microsoft 365 users.
- Capabilities: Full-cycle phishing automation, traffic redirection, bot/human differentiation, real-time statistics dashboard.
- First Seen: Attacks noticed "Since August" (of 2025, based on the article date).
## MITRE ATT&CK Mapping
The primary activity identified relates to initial access and execution of the phishing campaign.
- **TA0001 - Initial Access**
- **T1566 - Phishing**
- T1566.001 - Spearphishing Attachment (Initial email lures related to DocuSign/Voicemail carry attachments/links)
- T1566.002 - Spearphishing Link (Directs users to malicious domains)
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol (Use of standard web protocols for redirection and hosting)
## Functionality
### Core Capabilities
- **Credential Harvesting:** Designed specifically to steal Microsoft 365 user credentials.
- **Domain Infrastructure:** Utilizes approximately 1,000 domains, often hosted on parked or compromised legitimate domains to enhance social engineering trust.
- **Social Engineering Lures:** Employs lures resembling DocuSign requests, payment notifications, missed voicemails, or QR codes.
- **URL Construction:** Malicious domains consistently follow a specific pattern: `/([\w\d-]+\.){2}[\w]{,3}\/quantum.php/`.
### Advanced Features
- **Bot/Human Filtering:** A built-in mechanism distinguishes between automated scanning systems (like security tools) and human potential victims. Automated systems are redirected to benign sites, while human visitors are routed to the credential harvesting page.
- **Automated Redirection:** Acts as the central traffic routing system, automatically performing the redirecting tasks.
- **Operator Dashboard:** Provides operators with real-time statistics, logging the ratio of real human visitors versus non-human visitors.
## Indicators of Compromise
- File Hashes: [Not specified in the article]
- File Names: `quantum.php` (seen as a key component/path in the URL structure).
- Registry Keys: [Not specified in the article]
- Network Indicators:
- Approximately 1,000 deployed phishing domains.
- URL Pattern: `/([\w\d-]+\.){2}[\w]{,3}\/quantum.php/`
- Behavioral Indicators:
- Traffic redirection based on user-agent or request inspection (bot vs. human detection).
- Hosting phishing pages on legitimate-looking, often compromised, domains.
## Associated Threat Actors
- Less skilled threat actors ("operators" of the PhaaS service).
- The tool is noted to be used across a wide geography, with 76% of observed attacks targeting users in the U.S., across 90 countries total.
## Detection Methods
- **Signature-based detection:** Detection based on the known URL pattern associated with QRR (`/quantum\.php/`).
- **Behavioral detection:** Monitoring for domains hosting login pages that exhibit traffic filtering/redirection based on automated scrutiny.
- **YARA rules:** [Not specified in the article]
## Mitigation Strategies
- **URL Filtering:** Implementing robust URL filtering capabilities capable of detecting sophisticated phishing attempts.
- **Post-Compromise Monitoring:** Utilizing tools to monitor M365 accounts for signs of compromise if credentials are successfully exfiltrated.
- **User Education:** Training users to be wary of unexpected DocuSign, payment, or voicemail requests arriving via email.
## Related Tools/Techniques
The rise of QRR is concurrent with other advanced PhaaS services, indicating a trend toward streamlined, high-volume phishing operations:
- VoidProxy
- Darcula
- Morphing Meerkat
- Tycoon2FA