During the recent few months, there has been a serious exploitation of URL rewriting in session tracking, a new method that protects the users by replacing links in emails. Hackers have discovered new ways to exploit email URL rewriting features that have raised alarms among security experts. This has proven to be turned out into a vulnerability from a protective measure.

Attackers manipulate these rewritten URLs, to execute highly evasive phishing links behind trusted domains of security vendors by bypassing detection effectively. This has raised a critical surge in advanced phishing attacks that leverage the very tools developed to prevent them.

Generally, the threat actors seek the most effective methods to deliver their malicious links through email messages. We have witnessed many such tactics such as QR code phishing, and two-step delivery methods that impersonate malicious links behind legitimate services such as Canva or Office Forms. 

To get an understanding of how the threat actors abuse the features of URL rewriting, let us break down what “URL rewriting” actually is.

What is URL Rewriting?

URL rewriting is a security feature employed by email security vendors to protect the users from malicious links embedded in emails. It is known by different names such as URL protection, click-time protection, etc. URL rewriting serves a single goal, i.e., to protect the users from malicious links. 

The process involves replacing original URLs with modified links that direct the recipient first to the vendor’s servers. In that place, the links are scanned for threats when clicked- then the recipient can access it and is redirected to the web content, if not it will get blocked.

Types of URL Rewriting

There are two main models for URL Rewriting:

1. Legacy security solutions- It relies on rules and signatures that are based on previously identified threats. They rewrite URLs which they can assess later, leveraging updated threat intelligence and their broad visibility to email traffic. This approach allows them to block a site if new information becomes available. It occurs after an initial victim has already been hit and reported back to them.
2. Proactive solutions- This is a newer approach to URL rewriting that scans links at the time of the click with the use of technologies like computer vision and machine learning algorithms. Unlike legacy systems, these solutions not only rely on known malicious attacks or threat intelligence databases, but also evaluate the URL’s behavior in real-time.

Generally, organizations use the combination of these methods and employ tools like Secure Email Gateway (SEG) (such as Proofpoint or Microsoft Defender’s native “Safer Links”) and Integrated Cloud Email Security (ICES) solutions for enhanced protection. However, this complexity does not always result in “double protection”.

Thus, an increase in phishing attacks where tools are designed to protect users against phishing are being used against them.

How Attackers Exploit URL Rewriting?

The threat actors may choose one of the two below explained options to exploit URL rewriting:

1. Compromising Email Accounts- This is the most probable tactic that includes compromising legitimate email accounts that are protected by URL rewriting features. Generally, the attackers send an email to themselves that contains a “clear-later-to-be-phishing” URL. Once the email passes through the URL protection service, the link is rewritten including the email security vendor’s name and domain that gives an extra layer of legitimacy.
2. Whitelisting Exploitation- There are some email security services that whitelist their dedicated rewriting domains, which is exploited by the attackers. Once a rewritten URL is whitelisted, the attackers can modify the destination to redirect users to a phishing site, bypassing further security checks.

Real-world Examples of URL Rewriting in Session Tracking

Security researchers have found a surge in phishing attacks that exploits URL protection services that are discussed below:

Example 1: Double Rewrite Attack

There has been a recent URL rewriting phishing attack intercepted by the security researchers which can be called sophisticated phishing. This involves the use of a “double rewrite”, where two email security vendors named, Proofpoint and INKY, were exploited. 

The attacker sent an email with a rewritten phishing link that was impersonated as a legitimate SharePoint document notification. The URL in this email message was initially rewritten by Proofpoint’s security system, which has undergone a second rewriting process by INKY embedding its own URL protection link within the first rewrite. 

If the target clicks on the link, they are redirected to a custom made CAPTCHA challenge page, to evade detection of the automated threat intel checks by the vendors.

As soon as the target solves the CAPTCHA, they are redirected to a phishing site that mimics a Microsoft 365 login page, where their credentials are stolen.

Example 2 : Exploiting Rewritten URLs Across Multiple Targets

This is another attack where a rewritten URL generated through compromised accounts protected by INKY and Proofpoint that targeted multiple organizations. In this scenario, the original recipient of the rewritten URL is different from the subsequent targets. This shows that the attackers not only exploit the rewritten URL but also utilize it in a broader attack campaign against multiple organizations.

Here, the threat actors exploited the rewritten URL to extend their reach, where a single point compromise can turn out into a widespread phishing campaign. 

Example 3: Exploiting Mimecast’s URL Rewriting

Security researchers have prevented a phishing attack that likely leveraged Mimecast’s URL rewriting service to mimic a malicious link. The phishing link was rewritten by Mimecast’s URL protection service that appears to be a safe URL. But in reality, the final destination was a phishing site where the user credentials were stolen.

Example 4: IRS Phishing Attack via Sophos URL Rewriting

In this significant phishing incident, Sophos’s URL rewriting service disguised a malicious link. The phishing link was designed to appear as an urgent verification request from a legitimate organization. The URL in the email was rewritten by Sophos that added a layer of legitimacy.

The URL seems to be safe due to the Sophos domain that makes it difficult for the recipient to recognize the threat. Once the rewritten link is clicked, the targets are redirected to a phishing website, crafted to harvest personal details under the guise of a legitimate service.

Preventive Measures for URL Rewriting Abuse

Only leveraging on in-line computer vision is not sufficient, along with this, Large Language Models and proprietary anti-evasion engines emulate user behavior and uncover the true payload by following email links to their final destination. 

This preventive approach assures higher detection accuracy and neutralizes even the most evasive and well-masked threats before they reach their target inbox.

• Proactive Detection- Scanning and evaluating URLs in real-time prevents attacks from entering the inbox. This helps to protect against threats that exploit the gaps left by URL rewriting.
• Advanced Anti-Evasion- This measure is equipped to reverse the evasion techniques such as CAPTCHA  and geo-fencing. This ensures that even the most cunningly disguised threats got detected and blocked.
• Post-Delivery and Meta Analysis- The unique XDR-like infrastructure leverages big data to autonomously rescan and reassess links after delivery. This update verifies and catches threats that evolve post-delivery.
• Advanced Browser Security- Most platforms offer advanced browser security extensions that scans URLs upon click from the target’s point of view. This ensures that any suspicious and malicious activity is detected in real-time.

Want to start your learning journey on Cyber Security and Ethical Hacking field?