Email attackers are increasingly exploiting “URL rewriting” in phishing attacks to evade detection while spreading malicious links, Perception Point researchers said in a blog post.
URL rewriting is a security measure in which an email protection service such as a Secure Email Gateway (SEG) wraps any URLs contained in a received email with new links under the protection service’s domain. When the rewritten URLs are clicked by the email recipient, the service scans them for potential threats before redirecting the recipient to the intended webpages.
Cybercriminals have been exploiting URL rewriting services by compromising companies that use them and leveraging the compromised email accounts to generate their own seemingly legitimate wrapped links, Barracuda revealed in a July 2024 blog post.
These types of attacks have been increasing in recent months, according to Perception Point, with the company intercepting many emails that used the phishing technique in more sophisticated ways than previously observed.
In some cases, attackers are conducting “double rewrite attacks,” in which malicious links are rewritten twice by two different security vendors to further obscure their origin. In one example from August shared by Perception Point, the attacker first wrapped their link using Proofpoint’s URL defense system and then sent the Proofpoint-wrapped link to an attacker-controlled inbox protected by INKY, generating a link with an additional layer of redirection to evade email security systems.
The final double-wrapped link was sent to one of Perception Point’s customers in an email designed to look like a shared SharePoint document and included a third layer of obfuscation — a CAPTCHA prompt designed to block analysis by automated threat detection systems. The malicious webpage after the CAPTCHA impersonated a Microsoft log-in page and ultimately aimed to steal the user’s Microsoft credentials.
URL rewriting attacks take advantage of the fact that some email security services whitelist their own domains, meaning a URL wrapped by a particular service will not be blocked when subsequently scanned by the same service. This can be useful when an attacker compromises one email account at an organization and seeks to generate phishing links targeting other members at the same organization.
However, Perception Point has also seen attackers using links generated from one organization’s compromised accounts to target multiple other organizations, potentially gaining access to other URL rewriting services to use in subsequent rewrite and double rewrite attacks.
URL rewriting attacks are better detected by dynamic and AI-powered email threat detection systems than traditional URL scanning services, according to Perception Point, as AI-powered systems can access links in a similar manner to a human user in order to analyze their behavior in real time.
These cases also show how users should not be lulled into a false sense of security just because their email inbox is protected by a SEG, URL rewriting service or other security system; it is still important to exercise caution when clicking any link, even if the domain appears safe at first.
This article first appeared in SC Media, written by Laura French on November 25, 2024.