Cybercriminals Exploit URL Protections for Phishing Attacks

In a novel attack technique, cybercriminals are abusing legitimate URL protection services to hide malicious URLs in phishing emails, according to a new Threat Spotlight from Barracuda Networks, a trusted partner and leading provider of cloud-first security solutions.

From mid-May 2024 onwards, Barracuda researchers observed phishing attacks taking advantage of three different URL protection services to mask their phishing URLs. The services are provided by trusted, legitimate brands. To date, these attacks have targeted hundreds of companies, if not more.

URL protection services work by copying URL links found in emails, rewriting them, and then embedding the original within the rewritten one, rather like a wrap. When the email recipient clicks on the link, it triggers an email security scan of the original URL. If the scan is clear, the user is redirected to the URL. In the attacks seen, the users were redirected to phishing pages designed to steal sensitive information.

Barracuda researchers believe it is likely that the attackers initially gained entry to the URL protection services after compromising the accounts of legitimate users.

Once the attacker had taken over an email account, they could impersonate the owner, and infiltrate and examine their email communications, also known as business email compromise (BEC) or conversation hijacking. Links in emails connected to the account, or in the user’s email signature, would have shown whether a URL protection service was being used, and which one.

Using the compromised account to send themselves a phishing email carrying their malicious link, the attackers would have been able to get the protection URL they needed for their phishing campaigns.

“This inventive tactic helps attackers to evade security detection, and the abuse of trusted, legitimate security brands means that recipients are more likely to feel safe and click on the malicious link,” said Saravanan Mohankumar, Manager, Threat Analyst at Barracuda. “The URL protection provider may not be able to validate whether the redirect URL is being used by a customer or by an intruder who has taken over the account. Phishing is a powerful and often successful threat, and cybercriminals will continue to evolve their tools and techniques to maintain this. Security teams need to be prepared.”

Barracuda recommends a multilayered, AI-powered approach to defence, which can detect and block unusual or unexpected activity, however complex. These security measures should be complemented by active and regular security awareness training for employees on the latest threats and how to spot and report them.