Quantum Route Redirect (QRR) phishing campaign targeting Microsoft 365 users
Campaign
Summary
Hide ▲
Show ▼
Quantum Route Redirect (QRR) is running an active phishing campaign that steals Microsoft 365 credentials and now affects users across 90 countries. The operation uses about 1,000 domains and traffic-routing automation to push victims to credential-harvesting pages while evading scanners, with 76% of observed activity concentrated in the U.S.
Related Happenings
Google DoubleClick malspam campaign delivering DesckVB RAT
Campaign
H score33
First: 03.06.2026 19:29
Last: 03.06.2026 19:29
Sources 1
About this happening:
A **new malspam campaign** is abusing **Google's DoubleClick** redirect path to evade detection and deliver **DesckVB RAT**, putting users and organizations at risk of malware inf...
Google DoubleClick malspam campaign delivering DesckVB RAT
CampaignAbout this happening: A **new malspam campaign** is abusing **Google's DoubleClick** redirect path to evade detection and deliver **DesckVB RAT**, putting users and organizations at risk of malware inf...
OpenAI ChatGPT renderer Markdown link/image phishing security flaw
Vulnerability
H score16
First: 29.05.2026 21:07
Last: 29.05.2026 21:07
Sources 1
About this happening:
**ChatGPT** has a **response-renderer vulnerability** that turns summarized third-party pages into **live phishing links** and auto-fetched **attacker-hosted images** inside the t...
OpenAI ChatGPT renderer Markdown link/image phishing security flaw
VulnerabilityAbout this happening: **ChatGPT** has a **response-renderer vulnerability** that turns summarized third-party pages into **live phishing links** and auto-fetched **attacker-hosted images** inside the t...
Kali365 Microsoft 365 device-code phishing campaign
Campaign
H score46
First: 25.05.2026 15:45
Last: 25.05.2026 15:45
Sources 1
About this happening:
A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...
Kali365 Microsoft 365 device-code phishing campaign
CampaignAbout this happening: A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...
CypherLoc phishing-led browser scareware campaign
Campaign
H score49
First: 20.05.2026 13:00
Last: 20.05.2026 13:00
Sources 1
About this happening:
The **CypherLoc** operation has driven **around 2.8 million attacks** since the start of **2026**, using **phishing emails** to send users to malicious pages that lock browsers an...
CypherLoc phishing-led browser scareware campaign
CampaignAbout this happening: The **CypherLoc** operation has driven **around 2.8 million attacks** since the start of **2026**, using **phishing emails** to send users to malicious pages that lock browsers an...
QR code phishing surged across email threats in Q1 2026
Trend
H score73
First: 05.05.2026 09:35
Last: 05.05.2026 09:35
Sources 1
About this happening:
**Q1 2026** email-threat telemetry shows **QR code phishing** and **CAPTCHA-gated phishing** rising quickly, increasing the risk of **credential theft** across **organizations**....
QR code phishing surged across email threats in Q1 2026
TrendAbout this happening: **Q1 2026** email-threat telemetry shows **QR code phishing** and **CAPTCHA-gated phishing** rising quickly, increasing the risk of **credential theft** across **organizations**....
Timeline
-
10.11.2025 23:29 3 articles · 8mo ago
Quantum Route Redirect phishing campaign targeting Microsoft 365 users
Initial DisclosureKnowBe4 identified Quantum Route Redirect (QRR) as a phishing automation platform stealing Microsoft 365 credentials through credential-harvesting pages hosted on around 1,000 domains, often on parked or compromised domains. The lure emails impersonate DocuSign requests, payment notifications, missed voicemails, or QR codes, and the kit uses a human-vs-bot filtering layer that sends automated scanners to benign sites while routing real visitors to URLs that follow the `/([\w\d-]+\.){2}[\w]{,3}\/quantum.php/` pattern. Observed activity spans 90 countries, with 76% of attacks directed at users in the U.S., and defenders are advised to deploy robust URL filtering and account monitoring for compromise.
Show sources
- Quantum Route Redirect PhaaS targets Microsoft 365 users worldwide — www.bleepingcomputer.com — 10.11.2025 23:29
- Phishing Tool Uses Smart Redirects to Bypass Detection — www.darkreading.com — 12.11.2025 17:48
- Quantum Route Redirect Phishing Kit Democratizes Cyber-Attacks — www.infosecurity-magazine.com — 11.11.2025 11:45