Cybercriminals are exploiting legitimate URL protection services to mask malicious URLs in phishing emails, as detailed in a recent Threat Spotlight by Barracuda Networks.
From mid-May 2024 onwards, Barracuda researchers have detected phishing attacks utilizing three different URL protection services provided by trusted, well-established brands. These attacks have impacted hundreds of companies, potentially affecting even more.
How Attackers Are Exploiting URL Protection Services
URL protection services are designed to enhance email security by rewriting URL links found in emails. They copy the original URL, embed it within a rewritten link, and then scan the link for security threats when the recipient clicks on it. If the scan confirms the URL is safe, the user is redirected to the original site. However, in the observed attacks, users were instead redirected to phishing sites designed to steal sensitive information.
Barracuda’s analysis suggests that attackers first compromised the accounts of legitimate users to gain access to these URL protection services. Once inside a compromised account, attackers could impersonate the account owner and scrutinize their email communications, a tactic known as business email compromise (BEC) or conversation hijacking. By examining these emails, attackers could identify the specific URL protection service in use.
Using the compromised account, attackers would send a phishing email to themselves containing their malicious link. This email would then be processed by the URL protection service, resulting in a rewritten link that attackers could use in their phishing campaigns.
“This inventive tactic helps attackers to evade security detection, and the abuse of trusted, legitimate security brands means that recipients are more likely to feel safe and click on the malicious link,” said Saravanan Mohankumar, Manager, Threat Analyst at Barracuda.
“The URL protection provider may not be able to validate whether the redirect URL is being used by a customer or by an intruder who has taken over the account. Phishing is a powerful and often successful threat, and cybercriminals will continue to evolve their tools and techniques to maintain this. Security teams need to be prepared.”
In the documented cases, malicious URL links were included in emails from domains such as wanbf[.]com and clarelocke[.]com, which mimicked DocuSign and password reset reminders. These deceptive emails are designed to look legitimate, increasing the likelihood that recipients will click on the links.
What Can be the Implications and Challenges of This
This method of phishing is particularly insidious because it leverages the inherent trust recipients place in well-known security services. Traditional email security tools, which rely on detecting known malicious patterns or behaviors, may find it difficult to identify these attacks due to their use of legitimate URL protection services.
The use of legitimate URL protection services provides a cloak of authenticity, making recipients more likely to trust and click on malicious links. Additionally, because the links have already been processed by a security service, there is a higher likelihood that they will bypass conventional security filters.
Defensive Strategies
Traditional email security tools may struggle to detect these sophisticated attacks. The most effective defense is a multilayered approach that incorporates various security levels to detect and block unusual or unexpected activity, regardless of complexity.
Barracuda advocates for a multilayered, AI-powered approach to defense, which can detect and block unusual or unexpected activity, no matter how complex. This includes leveraging machine learning to identify anomalies and potential threats at both the gateway level and after email delivery.
Furthermore, continuous and comprehensive security awareness training for employees is crucial. Educating employees about the latest phishing tactics and how to identify suspicious emails can significantly reduce the risk of successful phishing attacks.
As defenders improve their capabilities to detect and mitigate phishing attacks, adversaries continually adapt their methods. One common technique is URL obfuscation, where attackers use legitimate shortlink services to hide malicious URLs. This approach has now evolved into a more sophisticated strategy that exploits the reputation and trustworthiness of brand-name URL protection services.