Using a novel attack technique, cybercriminals are abusing legitimate URL protection services to hide malicious URLs in phishing emails, according to a recent Threat Spotlight from Barracuda Networks, a provider of cloud-first security solutions.
Since mid-May 2024, Barracuda researchers have observed phishing attacks exploiting three different URL protection services to mask their malicious links. These services, offered by reputable brands, have inadvertently been used to facilitate these attacks. To date, these attacks have targeted hundreds of companies.
URL protection services work by copying links found in emails, rewriting them, and embedding the original within the rewritten link. When an email recipient clicks on the link, it triggers a security scan of the original URL. If deemed safe, the user is redirected to the URL. In these observed attacks, users were redirected to phishing pages designed to steal sensitive information.
“This inventive tactic helps attackers evade security detection, and the abuse of trusted, legitimate security brands means that recipients are more likely to feel safe and click on the malicious link,” said Saravanan Mohankumar, a threat analyst at Barracuda.
He noted that the URL protection provider may not be able to validate whether the redirect URL is being used by a customer or by an intruder who has taken over the account.
AI-powered defense approach
“Phishing is a powerful and often successful threat, and cybercriminals will continue to evolve their tools and techniques to maintain this,” he said. “Security teams need to be prepared.”
Barracuda researchers believe the attackers initially gained access to the URL protection services after compromising the accounts of legitimate users. Once an attacker had control of an email account, they could impersonate the owner and examine their email communications, a tactic known as business email compromise (BEC) or conversation hijacking. By sending themselves a phishing email from the compromised account, the attackers obtained the protection URL needed for their phishing campaigns.
Barracuda recommends a multilayered, AI-powered defense approach to detect and block unusual activity. These measures should be complemented by regular security awareness training for employees on the latest threats and how to spot and report them.