Attackers are exploiting the URL wrapping practices of email security services to conceal phishing links and lend credibility to their malicious campaigns.
Email security services often rewrite email message URLs to route them through an intermediary domain for scanning. While redirecting links through URL scanning services may seem counterintuitive, attackers take advantage of the delay before these services begin detecting and blocking phishing pages.
Researchers from Cloudflare’s Email Security team identified several phishing campaigns over the past two months that abused compromised email accounts protected by services from Proofpoint and Intermedia.net. URLs within emails sent from these accounts were automatically rewritten by the security services to point to domains such as http://urldefense.proofpoint.com and http://url.emailprotection.link (Intermedia).
“Link wrapping is designed by vendors like Proofpoint to protect users by routing all clicked URLs through a scanning service, allowing them to block known malicious destinations at the moment of click,” Cloudflare researchers wrote in their report on the attacks. “While this is effective against known threats, attacks can still succeed if the wrapped link hasn’t been flagged by the scanner at click time.”
Recipients of these rogue emails are more likely to click on wrapped links, assuming they’ve already been vetted by security services. At the same time, reputation-based spam filters may fail to block such links, as they appear to point to trusted domains.
Multiple layers of obfuscation
To maximize their window of opportunity, the attackers behind these campaigns employ additional techniques to obscure their final payloads. In one campaign, the phishing URL was routed through several redirect domains, then wrapped by Proofpoint’s link rewriting service, and finally passed through a URL shortener, adding multiple layers of obfuscation.
The lures of the phishing emails vary: Fake voicemail notifications with a button to access the message, alerts about messages allegedly received via Microsoft Teams, notifications about secure documents sent through the Zix Secure Message. But in every case, the final landing page, reached after a series of redirects, was a spoofed Microsoft Office 365 login page designed to harvest user credentials.
“This campaign’s abuse of trusted link wrapping services significantly increases the likelihood of a successful attack,” the Cloudflare researchers said. “Attackers exploit the inherent trust users place in these security tools, which can lead to higher click-through rates.”
While exploiting link-wrapping features from URL security scanners is an interesting development, the abuse of legitimate services to hide malicious payloads is neither new nor likely to disappear. Whether we’re talking about humans or software inspecting links, detection should never rely solely on domain reputation. Organizations should train their employees on how to spot phishing pages if they land on them, and automated tools should use more sophisticated content detection algorithms to identify such pages.
The Cloudflare report contains indicators of compromise and email detection fingerprints that can be used to build detection signatures for these campaigns.
See also: