New phishing tactic hijacks email protections to mask links

Email security company Barracuda exposed a recent phishing campaign that uses legitimate URL protection services to mask malicious email links.

The new phishing tactic was revealed in a Barracuda blog post Monday, and has been leveraged in attacks beginning around mid-May 2024.

The attacks take advantage of the legitimacy of URL protection services used by organizations, turning an anti-phishing measure into a phishing tool. Multiple different protection services were misused by the campaign, Barracuda said.

URL protection rewrites links received by business email accounts, causing them to direct back to the protection service, which scans the original link for threats. Users are then redirected to the original URL if no threats are found.

In the attacks identified by Barracuda, which have targeted hundreds of organizations, the attackers managed to “wrap” their own phishing links in a legitimate protection service domain, decreasing the likelihood of automatic detection and filtering.

The researchers say the attackers most likely used already-compromised business accounts that utilize URL protection services to generate the pre-wrapped links. After sending the phishing links to the compromised accounts under their control, the attackers could copy the rewritten URL to include in their subsequent phishing emails, the researchers theorized.

Emails linked to this campaign included fake password reset reminders and fake DocuSign documents that lure victims to malicious phishing websites. Phishing domains tied to the campaign included wanbf[.]com and clarelocke[.]com.

SC Media asked Barracuda whether the scans performed by the URL protection service would halt these attacks by preventing the user from being redirected to the attacker’s domain. A Barracuda spokesperson said the company’s own products would detect the malicious domains but did not comment on other email protection services.

“Organizations should deploy products that provide multiple defense layers, ie. within Barracuda’s Email Protection, we have ML technology combined with LinkProtect that ensures there is least amount of interaction possible,” Barracuda told SC Media.

Email attackers continue to find ways to disguise links

Barracuda’s blog post noted the latest campaign is similar to previous campaigns in which attackers have used legitimate link-shortening services to hide a malicious URL. In fact, cybercriminals have deployed many tactics to mask phishing links with legitimate domains.

Last October, Cofense discovered a resurgence of phishing campaigns using LinkedIn Smart Links to direct targets to malicious websites. LinkedIn Smart Links are generated through LinkedIn’s Sales Navigator to deliver content and track engagement; because they are connected to the LinkedIn domain, they’re less likely to be flagged as malicious by email security services.

Attackers have also used Google’s Accelerated Mobile Pages (AMP) framework to append malicious URLs to google.com links, which helps avoid detection due to Google’s trusted status, Cofense reported last August.

Cybercriminals have similarly used public cloud services like Google Cloud to host phishing kits and generate seemingly legitimate URLs, Resecurity revealed in a February 2024 blog post.

Such tactics point to a need for multi-layered email protection that goes beyond basic domain filtering.