Hackers have found a way to exploit email URL rewriting features, a tool initially designed to protect users from phishing threats. This new tactic has raised alarms among security experts, turning a protective measure into a vulnerability.
URL rewriting is a security feature employed by email security vendors to protect users from malicious links embedded in emails.
When a user clicks on a link, it is first redirected to the vendor’s server, where it is scanned for threats. If deemed safe, the user is redirected to the intended web content; access is blocked.
Types of URL Rewriting
There are two main paradigms for URL rewriting:
- Legacy Security Solutions: These rely on rules and signatures based on known threats. They rewrite URLs to assess links later, leveraging updated threat intelligence. However, this often happens after an initial victim has been affected.
- Proactive Solutions: These scan links at the time of the click using technologies like computer vision and machine learning. Unlike legacy systems, they evaluate the URL’s behavior in real time.
Organizations often combine these methods, employing tools like Secure Email Gateway (SEG) and Integrated Cloud Email Security (ICES) solutions for enhanced protection.
Since mid-June 2024, attackers have exploited URL rewriting features to insert phishing links. This manipulation takes advantage of the trust users place in known security brands, making even the most vigilant employees more likely to click on seemingly safe links.
Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot
How Attackers Exploit URL Rewriting
Attackers typically have two options:
- Compromising Email Accounts: The more probable tactic involves compromising legitimate email accounts protected by URL rewriting features. Attackers send an email to themselves containing a “clean-later-to-be-phishing” URL. Once the email passes through the URL protection service, the link is rewritten, including the email security vendor’s name and domain, giving it an extra layer of legitimacy.
- Whitelisting Exploitation: Some email security services whitelist their dedicated rewriting domains, which attackers exploit. Once a rewritten URL is whitelisted, attackers can modify the destination to redirect users to a phishing site, bypassing further security checks.
Real-World Examples of URL Rewriting Exploits
Security researchers from Perception Point have observed a surge in phishing attacks exploiting URL protection services. Here are some examples:
Example 1: Double Rewrite Attack
Two email security vendors, Proofpoint and INKY, were exploited in a sophisticated phishing attack. The attacker sent an email with a rewritten phishing link disguised as a legitimate SharePoint document notification.
The URL was rewritten twice, first by Proofpoint and then by INKY. After solving a CAPTCHA challenge, the user was redirected to a phishing site mimicking a Microsoft 365 login page.
Example 2: Exploiting Rewritten URLs Across Multiple Targets
In another attack, a rewritten URL generated through compromised accounts protected by INKY and Proofpoint targeted multiple organizations.
The attackers exploited the rewritten URL to extend their reach, turning a single point of compromise into a widespread phishing campaign.
Example 3: Mimecast’s URL Rewriting Exploit
Perception Point prevented a phishing attack leveraging Mimecast’s URL rewriting service. The phishing link appeared safe due to the Mimecast domain but redirected users to a phishing site designed to steal credentials.
Example 4: IRS Phishing Attack via Sophos URL Rewriting
In this attack, Sophos’s URL rewriting service disguised a malicious link. The phishing email appeared as an urgent verification request from a legitimate organization, and the rewritten URL added legitimacy, making it difficult for recipients to recognize the threat.
Perception Point offers Dynamic URL Analysis to combat these sophisticated attacks, which provides superior protection to traditional URL rewriting.
This approach actively browses new or unknown URLs and analyzes their behavior before the email is delivered.
Key Features of Dynamic URL Analysis
- Proactive Detection: Scans and evaluates URLs in real time, preventing attacks from entering the inbox.
- Advanced Anti-Evasion: Equipped to undo evasion tactics like CAPTCHA and geo-fencing.
- Post-Delivery and Meta-Analysis: Uses big data to rescan and reassess links after delivery autonomously.
- Advanced Browser Security: Scans URLs upon click, ensuring any malicious activity is detected in real-time.
Hackers’ exploitation of URL rewriting features underscores the need for continuous innovation in email security. As attackers become more sophisticated, security solutions must evolve to avoid these threats.
Organizations are urged to adopt advanced detection methods like Dynamic URL Analysis to protect against these evolving phishing tactics.
Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access