Rising Abuse of URL Rewriting in Phishing Attacks: A Growing Threat

In a concerning trend that has emerged in recent months, Perception Point has observed threat actors exploiting URL rewriting, a security feature designed to protect users from malicious links in emails. By manipulating the rewritten URLs, malefactors are able to hide phishing links behind trusted domains, evading detection and making it increasingly difficult for security measures to protect users.

URL rewriting, which is implemented by email security vendors to replace original URLs with modified ones that are first scanned for threats, has been a key tool in the fight against phishing. However, cybercriminals have now found a way to weaponize these features, using them to deliver highly evasive phishing links while bypassing even the most advanced security systems.

Peleg Cabra, Product Marketing Manager at Perception Point, explains that the trend marks a dramatic shift in phishing tactics. “These techniques aim to evade both legacy and AI-powered email security solutions. However, since mid-June 2024, a highly alarming trend has emerged – attackers are now turning email security against itself, exploiting URL rewriting features designed to prevent phishing threats. It’s a poetic quid pro quo, but not the kind defenders would necessarily appreciate.”

What Is URL Rewriting?

URL rewriting, also known as URL protection or click-time protection, is a security mechanism used by email security vendors to scan links within email messages for malicious content. In practice, the original URL is replaced with a rewritten one that directs the user to the vendor’s servers, where the link is analyzed for threats before being redirected to the original destination if deemed safe.

There are two main approaches to URL rewriting:

1. Legacy Security Solutions: These rely on rules and signatures based on known threats, scanning links and blocking them if they are flagged by updated threat intelligence.
2. Proactive Security Solutions: These scan links in real-time, using machine learning and computer vision to assess the link’s behavior and identify threats even if they have not been previously detected.

While URL rewriting was intended to protect users from malicious links, attackers have found a way to exploit this feature, leading to the abuse of security services designed to prevent such attacks.

How Attackers Are Abusing URL Rewriting

Over the past few months, researchers have observed a marked increase in phishing attacks that exploit URL protection services provided by legitimate email security vendors, including Secure Email Gateways (SEGs) and Integrated Cloud Email Security (ICES) solutions.

The abuse typically follows two potential tactics:

1. Compromising Email Accounts: Attackers first compromise email accounts protected by URL rewriting services. They then send themselves an email containing a malicious link. As the email passes through the security service, the link is rewritten with the email security vendor’s domain, making it appear legitimate. Once the link is rewritten, attackers can later alter the destination URL to redirect users to a phishing site.
2. Whitelisting of Rewritten URLs: Some email security services whitelist their own rewriting domains to save on resources. This allows attackers to target these domains and bypass security checks, as many services do not rescan previously rewritten URLs.

These techniques take advantage of the trust users place in known security brands, making them more likely to click on seemingly safe links. The gap between the time a URL is rewritten and when it is weaponized creates a vulnerability that attackers are increasingly exploiting.

Case Studies of URL Rewriting Abuse

Perception Point has documented several high-profile cases where attackers successfully manipulated URL rewriting features to bypass security systems.

• Double Rewrite Attack – Proofpoint and INKY: In one case, attackers sent an email with a rewritten phishing link disguised as a legitimate SharePoint document notification. The link was rewritten twice, first by Proofpoint and then by INKY. The attackers added a CAPTCHA challenge to evade detection before redirecting the victim to a phishing site designed to steal login credentials.
• Exploiting Mimecast’s URL Rewriting: Another attack saw attackers exploit Mimecast’s URL protection service to disguise a malicious link, redirecting victims to a phishing site designed to steal credentials.
• IRS Phishing Attack via Sophos URL Rewriting: Attackers also used Sophos’s URL rewriting service to disguise a phishing link in an email claiming to be an urgent verification request from the IRS. The rewritten URL appeared legitimate due to Sophos’s domain, making it difficult for recipients to recognize the phishing attempt.

A New Defense

In response to these sophisticated attacks, Perception Point has developed a unique Dynamic URL Analysis solution that offers superior protection compared to traditional URL rewriting services. Unlike standard URL rewriting, which relies on scanning links at the time of click, Perception Point’s solution proactively analyzes URLs before they even reach the user’s inbox.

By utilizing advanced technologies such as computer vision, large language models, and proprietary anti-evasion engines, Perception Point’s Dynamic URL Analysis can uncover hidden threats by simulating user behavior and analyzing the final destination of links in real-time. This proactive approach ensures that even the most evasive and well-masked phishing attempts are detected and blocked before they can reach the target.

The Future of Phishing Protection

As attackers continue to evolve their tactics, email security vendors and businesses must remain vigilant. The abuse of URL rewriting demonstrates how even well-established security measures can be exploited by cybercriminals. To stay ahead of these evolving threats, organizations must adopt more advanced, proactive defenses that go beyond traditional URL protection services.

Perception Point’s Dynamic URL Analysis, for example, provides a more accurate and robust defense against phishing attacks by analyzing URLs in real-time and neutralizing even the most evasive threats. As phishing continues to grow in sophistication, solutions like these are crucial for safeguarding businesses and their employees from the ever-present danger of phishing attacks.

Leveraging User Trust

Chris Fuller, Senior Director of Technical Field Operations at Obsidian Security says: “The escalation of phishing attacks via URL rewriting highlights how attackers are continually refining their methods to evade detection. By manipulating email links to redirect users through legitimate-looking URLs, cybercriminals can bypass traditional security filters and lure victims into providing sensitive information or downloading malicious files. This tactic leverages the trust users place in seemingly secure links and underscores the need for vigilance as threat actors exploit even the smallest gaps in security defenses.”

According to him, Obsidian Security research reveals a worrying 93% of spear phishing attacks occurred despite traditional email defense measures and 15% of these compromises happened where both email provider and dedicated security solutions were in place. “This highlights the need to go beyond basic email filtering and implement advanced threat detection systems capable of analyzing the complete parameters of potential phishing sites. User education remains critical, particularly in helping individuals recognize suspicious behavior in emails and links. However, these measures must be complemented by robust security frameworks to ensure comprehensive protection against sophisticated phishing campaigns.”