Recent phishing campaigns were seen abusing email security services that rewrite URLs to hide their own malicious links. The irony is that this URL rewriting feature, which is common in secure email gateways and some cloud-based email services, is specifically intended as a reputation filter to prevent users from accessing known phishing sites.
“From mid-May 2024 onwards, Barracuda researchers observed phishing attacks taking advantage of three different URL protection services to mask their phishing URLs,” researchers from security firm Barracuda Networks said in a report this week. “The services are provided by trusted, legitimate brands. To date, these attacks have targeted hundreds of companies, if not more.”
How URL protection works
The type of URL protection services that Barracuda talks about in its report are used by email security vendors to perform on-access reputation checks on links included in emails. They work by rewriting links in incoming or outgoing emails to point to a domain and service under their control.
When users then click on the rewritten link, the server runs a check to see if the link points to a known phishing or malware website and based on the result, either blocks access to it or redirects the request to the final destination. The benefit is that if a website is flagged as malicious at a later time, all rewritten links pointing to it will stop working, delivering protection to all users.
However, the success of this approach in practice is debatable and it has downsides too. First, this breaks cryptographic email signatures because the secure email gateway modifies the original email by changing the link. Then, the rewritten links obfuscate the real destinations, which in some cases could be obviously suspicious just by looking at them.
For example, Microsoft offers this feature under the name Safe Links for Office 365 users, where links in incoming emails and messages in apps like Outlook and Teams are rewritten to na01.safelinks.protection.outlook.com/?url=[original_URL] and this feature has been criticized in the past by security companies for not actually performing dynamic scans or for being easy to bypass with traffic redirection based on IP — Microsoft’s IP addresses are publicly known — or by using open redirect URLs from legitimate and trusted domains.
The biggest downside is that these reputation checks are based on blacklists and the time needed for a new phishing site to be added to a vendor’s blacklist varies. It could take minutes, hours or days, depending on whether anyone reports it. Some vendors are faster than others and attackers know this as well. Domains are pretty cheap and by the time one is flagged for hosting a phishing site, hundreds of users might have already fallen victim to it.
How attackers abused the URL rewriting services
It’s not clear how the attackers behind the recent phishing campaigns seen by Barracuda were able to generate rewritten URLs pointing to their fake websites. However, the researchers speculate that it’s likely they compromised email accounts from inside organizations that had products using these services, and then sent emails to or from those compromised accounts to force the URL rewrites.
Then it was just a matter of taking the rewritten URLs from the resulting email message and reusing them to craft new phishing emails. The URLs will continue to work indefinitely across multiple users clicks until the destination domains are flagged as malicious.
Some of the phishing emails using this technique masqueraded as password change reminders from Microsoft or document signing requests from DocuSign. The emails had the usual branding elements of the spoofed services included buttons that used the rewritten links to redirect users.
“As with all email-borne threats, security measures should be complemented by active and regular security awareness training for employees on the latest threats and how to spot and report them,” the Barracuda researchers said.
More by Lucian Constantin: