Cybersecurity researchers recently spotted hackers abusing URL protection tools to deliver phishing links to unsuspecting victims, targeting “hundreds of companies or more.”
When someone receives an email with a link in it, the tool copies and rewrites it, then embeds it in a new rewritten link. So once the recipient clicks on that link, it triggers a security scan. In this new campaign, which most likely began in mid-May 2024, the rewritten link redirected recipients to a phishing site.
Barracuda researchers don’t seem to know exactly how the hackers managed to trick the URL protection tool, but they suspect it was a business email compromise (BEC) attack. They believe the attackers first gained access to the inbox, scanned the installed security tool, and then sent themselves an email containing the phishing link.
Hard to detect
Since the URL protection tool will rewrite the phishing URL, they can then use this link to hide the malicious link inside. These links were sent from domains like wanbf[.]com and clarelocke[.]com, and were designed to look like DocuSign and password reset reminders.
“Traditional email security tools may struggle to detect these attacks,” the researchers said. said “The most effective defense is a multi-layered approach, with different levels of security capable of detecting and blocking any unusual or unexpected activity, no matter how complex. Solutions that include machine learning capabilities, both at the gateway and after delivery, will ensure that businesses are well protected.”
Barracuda also said that no matter how advanced email protection tools are, businesses should always consider training their employees on the latest email threats and how to spot and report them. Humans are the first and best line of defense, as software and automated tools, no matter how advanced, will always have workarounds.