Security researchers say a new phishing automation platform called Quantum Route Redirect (QRR) is routing victims to fake Microsoft 365 login pages from roughly 1,000 domains, using automation and traffic filtering to avoid detection and maximise stolen credentials.
According to a report by BleepingComputer, researchers have tracked QRR campaigns that send realistic-looking emails (DocuSign requests, payment notices, voicemail alerts, QR-code prompts) that point victims to credential-harvesters.
The kit hosts phishing pages on many parked or compromised legitimate domains and uses a predictable URL pattern, making the pages look more trustworthy to humans while evading some scanning tools.
Since August, researchers observed QRR in 90 countries, with roughly 76% of attacks aimed at US users.
QRR comes soon after Microsoft disrupted another major phishing-as-a-service (PhaaS) network called RaccoonO365. This operation sold ready-to-use phishing kits that mimicked Microsoft login pages and emails, letting attackers steal over 5,000 sets of Microsoft 365 credentials, including accounts from more than 20 US healthcare organizations. Subscribers paid as little as $12 a day to send thousands of phishing emails, often as the first step toward ransomware or data theft.
In this case, Microsoft’s Digital Crimes Unit (DCU) shut down 338 related websites and traced the operation’s leader, Joshua Ogundipe from Nigeria, through a cryptocurrency wallet. Ogundipe allegedly built much of the phishing code and earned more than $100,000 in profits. Microsoft and Health-ISAC have since filed a lawsuit in New York, accusing him of multiple cybercrime violations.
Other examples from earlier this year include tools like VoidProxy, Darcula, Morphing Meerkat, and Tycoon2FA, where QRR builds upon this, adding automated routing, bot filtering, and a dashboard for operators.
Read also: Microsoft seizes phishing sites targeting healthcare and Microsoft 365
According to the GBHackers analysis on QRR, “Organizations cannot rely solely on URL scanning defenses anymore. A multi-layered approach is essential. Integrated cloud email security products using natural language processing to analyze email content, combined with impersonation detection and polymorphic analysis, provide significantly better protection than traditional email gateways alone.”
QRR makes phishing easier, faster, and harder to detect. It automates the entire setup process, allowing attackers to launch large-scale phishing campaigns without needing advanced technical skills. It also includes built-in evasion tools that hide phishing sites from scanners and researchers. Many of these sites are hosted on legitimate or previously trusted domains, which makes it difficult for standard security systems to flag them as malicious.
Therefore, security teams must move beyond basic domain blocking and apply layered protection methods. Pattern and content analysis, behavioral monitoring, and AI-driven threat detection can help uncover QRR-related activity before credentials are stolen. Combined with strong authentication, monitoring, and employee training, these measures reduce the chances of attackers exploiting phishing-as-a-service kits like QRR.
If attackers capture Microsoft 365 credentials, they can read email, exfiltrate files, send convincing follow-up phishing from a compromised account, and access protected health information (PHI). That makes credential theft a high-risk event for HIPAA-covered entities and business associates. Strong identity and email controls reduce the chance of compromise and the damage if credentials are stolen.
Healthcare organizations and their business associates must use multiple defenses, like phishing-resistant multifactor authentication, conditional access, URL filtering, user training, and proactive monitoring. In addition, combining these technical controls with encrypted, HIPAA compliant email solutions, like Paubox, will reduce exposure from credential theft and prevent potential HIPAA violations.
Learn more: HIPAA Compliant Email: The Definitive Guide (2025 Update)
QRR is a phishing-as-a-service (PhaaS) platform that lets criminals spin up and manage fake login pages and campaigns to harvest usernames and passwords.
It automates large phishing campaigns, so attackers with little skill can target thousands of people quickly and at scale.
QRR detects scanners and bots and sends those to harmless pages, while real people are redirected to credential-stealing sites, helping the attacks slip past automated security checks.