Cybercriminals have found a new method to hide malicious URLs in phishing emails by exploiting legitimate URL protection services, as reported by Barracuda Networks in their latest Threat Spotlight.
Since mid-May 2024, Barracuda researchers have observed phishing attacks utilizing three different URL protection services to mask their malicious URLs. These services, provided by trusted brands, are designed to enhance email security. To date, these attacks have impacted hundreds of companies globally.
URL protection services function by copying, rewriting, and embedding the original URL within a new one. When a recipient clicks on the link, it triggers a security scan of the original URL. If the scan clears, the user is redirected to the intended URL. However, in these attacks, users were redirected to phishing pages aimed at stealing sensitive information.
Barracuda researchers suggest that attackers initially gained access to URL protection services by compromising legitimate user accounts. Once an attacker controls an email account, they can impersonate the account owner and infiltrate email communications, a tactic known as business email compromise (BEC) or conversation hijacking. By examining emails connected to the compromised account, attackers could identify the use of URL protection services.
By sending a phishing email to themselves from the compromised account, attackers could generate the protection URL needed for their phishing campaigns. This inventive tactic helps them evade security detection, and the use of trusted security brands makes recipients more likely to click on the malicious link.
“This inventive tactic helps attackers to evade security detection, and the abuse of trusted, legitimate security brands means that recipients are more likely to feel safe and click on the malicious link,” said Saravanan Mohankumar, Manager, Threat Analyst at Barracuda. “The URL protection provider may not be able to validate whether the redirect URL is being used by a customer or by an intruder who has taken over the account. Phishing is a powerful and often successful threat, and cybercriminals will continue to evolve their tools and techniques to maintain this. Security teams need to be prepared.”
Barracuda recommends a multilayered, AI-powered approach to defense that can detect and block unusual or unexpected activity, regardless of complexity. Additionally, regular security awareness training for employees on the latest threats and how to spot and report them is essential.