Attackers exploit URL protections to hide phishing links

Cybercriminals are abusing legitimate URL protection services to hide malicious phishing links, Barracuda researchers have revealed.

The company observed phishing campaigns using three different URL protection services to mask phishing URLs and send victims to websites designed to harvest their credentials.

Researchers estimate that these campaigns have targeted hundreds of companies to date, if not more.

URL protection services are designed to protect users from visiting malicious websites via a phishing link. Whenever a URL is included in an email, the service copies it, rewrites it, and then embeds the original URL into the rewritten URL.

If the email recipient clicks on this “wrapped” link, an email security scan of the original URL is triggered. If the scan is positive, the user is redirected to the URL. Otherwise, the user cannot access the original URL.

How URL Protection Services Are Exploited

In these new attacks, malicious actors access the URL protection service through compromised accounts and leverage it to rewrite their own phishing URLs, concealing their malicious nature – effectively turning the service against itself.

This allows them to impersonate the account owners and infiltrate and examine their email communications, as well as send emails from the compromised account. This tactic is known as conversation hijacking.

Additionally, malicious actors will be able to determine whether a URL protection service is being used by analyzing links in emails connected to the account or in the user’s email signature.

To exploit URL protection to rewrite their own phishing URLs, the researchers noted that attackers would either need to have access to internal systems to rewrite the phishing URL, which is “extremely rare,” or, more likely, send themselves an outbound email using the compromised accounts, with the phishing link included in the message.

When delivering this message, the URL protection service installed by the user’s organization will rewrite the phishing URL using its own URL protection link. This allows the attacker to use this link to hide malicious URLs in their subsequent phishing emails targeting employees of this organization.

Researchers said URL protection vendors may not be able to validate whether the redirect URL used by a specific customer is actually used by that customer or by an intruder who has taken control of the account.

According to Barracuda, the use of URL protection services can be intentional or opportunistic.

Attackers bypass common security controls

Barracuda noted that many traditional email security tools will not be able to detect these new tactics, while using trusted security brands is more likely to give users a false sense of security and click on the malicious link.

The new research follows other methods observed by threat actors to bypass traditional security controls to enhance phishing campaigns.

These attacks include the increasing use of quishing attacks, which are phishing messages that use a QR code to direct targets to malicious websites rather than URLs. This approach increases the likelihood that a recipient will use a personal device outside of an organization’s web or antivirus protection to access the malicious website.

Another observed tactic is to exploit the infrastructure of popular legitimate services to conduct phishing campaigns, making it more difficult for security tools to distinguish malicious or benign emails from that service.

Leave a Comment