Barracuda Networks researchers have identified a new method by which cybercriminals are exploiting legitimate URL protection services to embed malicious code in phishing emails. The technique, detailed in Barracuda’s Threat Spotlight report, involves using trusted security marks to mask phishing URLs, increasing the likelihood that recipients will click on dangerous links.
URL protection services are designed to rewrite all links in incoming emails and scan the destination website in real-time to block suspicious websites. However, attackers have managed to abuse these security tools, redirecting unsuspecting users to phishing pages designed to steal sensitive information.
Three major URL protection service providers, used by leading organizations around the world, were targeted in these attacks. “This inventive tactic allows attackers to evade security detection, and the misuse of trusted and legitimate security brands means recipients are more likely to feel safe and click on the malicious link,” said Saravanan Mohankumar, threat analyst manager at Barracuda. Mohankumar also noted that URL protection providers may not be able to verify whether the redirect URL is being used by an authorized user or an intruder.
Starting in mid-May 2024, Barracuda researchers have observed phishing attacks that exploit these URL protection services. Hundreds of organizations have been affected so far. The URL protection mechanism works by rewriting the original URL link found in emails, parsing it, and redirecting users if the parsing removes the URL. In this exploit, users are redirected to phishing pages designed to harvest sensitive data.
Barracuda researchers suggest that attackers first gain access to URL protection services by compromising legitimate users’ email accounts. By taking control of an email account, attackers can impersonate the account holder and infiltrate their communications, a tactic known as business email compromise (BEC) or conversation hijacking. Attackers then observe the use of URL protection services in email signatures or messages related to the compromised accounts, allowing them to understand which URL protection service is being used.
Using the compromised account, attackers send phishing emails to themselves, obtaining the protection URL needed for their campaigns. This method allows them to bypass security measures since the phishing email appears to come from a trusted source and contains links that are verified by secure URL protection services.
Mohankumar highlighted the persistence of the phishing threat, noting that “phishing is a powerful and often effective threat, and cybercriminals will continue to evolve their tools and techniques to address it. Security teams must be prepared.”
To combat these sophisticated attacks, Barracuda recommends a layered, AI-powered security approach that detects and blocks unusual or unexpected activity, no matter how complex. Organizations are also advised to provide regular security awareness training to employees to equip them with the skills to identify and report potential threats.