Researchers at cybersecurity firm KnowBe4 have uncovered a new phishing-as-a-service (PhaaS) tool called Quantum Route Redirect (QRR) that makes it easier for cybercriminals to steal Microsoft 365 credentials worldwide — with no advanced hacking skills required.
KnowBe4 says QRR has been used in active phishing campaigns since August across 90 countries, exploiting around 1,000 compromised or parked domains globally, with the majority of attacks (roughly 76%) targeting users in the United States.
“Quantum Route Redirect is an advanced automation platform that streamlines the entire phishing campaign process, from traffic rerouting to victim tracking,” explains KnowBe4 in a blog post.
How The Scam Works
The attacks typically start with fake emails that appear to come from trusted sources such as DocuSign, payment notifications, payroll messages, or even missed voicemail alerts. Some even pose as missed voicemail notifications or QR code prompts, tricking recipients into clicking malicious links. These links lead to carefully crafted credential-harvesting pages hosted on domains that look legitimate.
“Our researchers also observed that the domain URLs consistently follow the pattern “/([\w\d-]+\.){2}[\w]{,3}\/quantum.php/” and are typically hosted on parked or compromised domains,” added KnowBe4.
“The choice to host on legitimate domains can help to socially engineer the human targets of these attacks.”
What makes QRR stand out is its automation and stealth. The phishing platform can manage every step of an attack —from traffic rerouting to victim tracking — through an easy-to-use dashboard in real time. It even uses a built-in bot filtering system that detects whether a visitor is a human or a security bot.
Bots and scanners are sent to safe, decoy pages, while real people are redirected to phishing websites designed to steal their Microsoft 365 login details.
Bypassing Security Tools
According to KnowBe4, QRR is particularly effective at evading email security filters and URL scanners, as it can distinguish between automated systems and real users. The phishing links often appear harmless during initial scans, only turning malicious when clicked by a human recipient.
The researchers warn that the kit’s design “democratizes phishing,” making it easier for less technical criminals to launch sophisticated, large-scale global attacks.
Staying Protected
While QRR’s growing popularity poses a significant challenge, experts emphasize that strong defenses can still keep organizations safe. KnowBe4 recommends organizations to strengthen URL filtering, deploy real-time link analysis, and implement continuous account monitoring to catch compromise attempts early.
Simultaneously, companies should also invest in employee awareness training, such as spotting phishing tactics and suspicious emails before clicking. Turning real-world phishing attempts into learning simulations can help users recognize and avoid similar scams in the future.
A Growing Global Concern
Quantum Route Redirect is the latest example of how phishing has evolved from a manual, technical craft into a highly automated criminal service. As the threat evolves, security professionals warn: the best defense is to stay ahead, assuming phishing will get smarter — and prepare smarter in return.
