Cybercriminals have found a new way to exploit email security measures, turning them into tools for their malicious activities.
Since mid-June 2024, threat actors have been increasingly abusing URL rewriting features, which are designed to protect users from phishing threats, to carry out sophisticated attacks.
URL rewriting is a security feature employed by various email security vendors to protect users from malicious links in emails.
The process involves replacing original URLs with modified links that first direct recipients to the vendor’s servers for threat scanning before allowing access to the web content.
There are two main approaches to URL rewriting:-
- Legacy solutions: These rely on rules and signatures based on previously identified threats.
- Newer solutions: These use computer vision and machine learning algorithms to scan links in real-time.
Besides this, researchers at Perception Point discovered that some organizations use a combination of both approaches, sometimes resulting in a “double rewrite” of URLs.
The Exploitation Technique
Attackers have been studying the inner workings of URL rewriting and are now exploiting it in their phishing campaigns. The most common method involves:-
- Compromising legitimate email accounts protected by URL rewriting features.
- Sending an email to themselves containing a “clean” URL.
- Allowing the email security service to rewrite the URL.
- Weaponizing the rewritten URL by modifying its destination to a phishing site.
This technique is particularly dangerous because it takes advantage of users’ trust in known security brands, making even security-aware employees more likely to click on seemingly safe links.
Perception Point’s security researchers have intercepted several sophisticated attacks exploiting URL rewriting services:-
- Double Rewrite Attack: Involving Proofpoint and INKY, this attack used a rewritten phishing link disguised as a SharePoint notification. It included a CAPTCHA challenge to evade automated analysis.
- Multi-Target Exploitation: Attackers compromised an organization protected by INKY and Proofpoint, generated a rewritten URL, and repurposed it to target multiple other organizations.
- Mimecast Exploitation: A phishing attack leveraged Mimecast’s URL rewriting service to disguise a malicious link leading to a credential-stealing site.
- IRS Phishing via Sophos: An attack used Sophos’s URL rewriting service to mask a phishing link in an email impersonating the IRS and ID.me.
To combat these sophisticated attacks, advanced security solutions like Perception Point’s Dynamic URL Analysis are being employed. This approach offers:-
- Proactive detection by scanning URLs in real-time before email delivery
- Advanced anti-evasion capabilities to undo tactics like CAPTCHA and geo-fencing
- Post-delivery and meta-analysis to catch evolving threats
- Browser-level security extensions for additional protection
As phishing tactics continue to evolve, it’s crucial for organizations and individuals to stay informed about these new techniques and implement robust, multi-layered security solutions to protect against increasingly sophisticated cyber threats.
This article first appeared in Cyber Security News, written by Tushar Subhra Dutta on November 25, 2024.