Hackers found abusing URL protection tools to hide phishing links

email
(Image credit: Shutterstock / Belozersky)

Cybersecurity researchers have recently spotted hackers abusing URL protection tools to deliver phishing links to unsuspecting victims, with “hundreds of companies, if not more”, targeted.

When a person receives an email with a link, the tool will copy and rewrite it, and then embed it within a new, rewritten one. So, once the recipient clicks on that link, it triggers a security scan. In this new campaign, which most likely started in mid-May 2024, the rewritten link navigated the recipients to a phishing site.

Barracuda’s researchers don’t seem to know exactly how the hackers managed to trick the URL protection tool, but suspect it is a result of a successful business email compromise (BEC) attack. They believe the attackers first gained access to the email inbox, analyzed the security tool installed, and then sent themselves an email with the phishing link.

Difficult to detect

Since the URL protection tool will rewrite the phishing URL, they can then use that link to hide the malicious one inside. These links were sent from domains such as wanbf[.]com and clarelocke[.]com, and were designed to look like DocuSign and password reset reminders. 

“Traditional email security tools may find it difficult to detect these attacks,” the researchers said in their write-up. “The most effective defense is a multilayered approach, with various levels of security that can detect and block unusual or unexpected activity, however complex. Solutions that include machine-learning capabilities, both at the gateway level and post-delivery, will ensure companies are well protected.”

Barracuda also said that no matter how advanced email protection tools are, businesses should always consider educating their employees on the latest email-borne threats, and how to spot and report them. Humans are the first, and best, line of defense, since software and automated tools, no matter how advanced, will always have workarounds.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.