{"id":4199,"date":"2025-07-31T22:40:25","date_gmt":"2025-07-31T22:40:25","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=4199"},"modified":"2025-07-31T22:40:25","modified_gmt":"2025-07-31T22:40:25","slug":"attackers-wrap-phishing-links-through-url-scanning-services-to-bypass-detection","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=4199","title":{"rendered":"Attackers wrap phishing links through URL scanning services to bypass detection"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Attackers are exploiting the URL wrapping practices of email security services to conceal phishing links and lend credibility to their malicious campaigns.<\/p>\n<p>Email security services often rewrite email message URLs to route them through an intermediary domain for scanning. While redirecting links through URL scanning services may seem counterintuitive, attackers take advantage of the delay before these services begin detecting and blocking phishing pages.<\/p>\n<p>Researchers from Cloudflare\u2019s Email Security team identified several <a href=\"https:\/\/www.csoonline.com\/article\/514515\/what-is-phishing-examples-types-and-techniques.html\">phishing<\/a> campaigns over the past two months that abused compromised email accounts protected by services from Proofpoint and Intermedia.net. URLs within emails sent from these accounts were automatically rewritten by the security services to point to domains such as http:\/\/urldefense.proofpoint.com and http:\/\/url.emailprotection.link (Intermedia).<\/p>\n<p>\u201cLink wrapping is designed by vendors like Proofpoint to protect users by routing all clicked URLs through a scanning service, allowing them to block known malicious destinations at the moment of click,\u201d Cloudflare researchers wrote in <a href=\"https:\/\/www.cloudflare.com\/threat-intelligence\/research\/report\/attackers-abusing-proofpoint-intermedia-link-wrapping-to-deliver-phishing-payloads\/\">their report on the attacks<\/a>. \u201cWhile this is effective against known threats, attacks can still succeed if the wrapped link hasn\u2019t been flagged by the scanner at click time.\u201d<\/p>\n<p>Recipients of these rogue emails are more likely to click on wrapped links, assuming they\u2019ve already been vetted by security services. At the same time, reputation-based spam filters may fail to block such links, as they appear to point to trusted domains.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Multiple layers of obfuscation<\/strong><\/h2>\n<p>To maximize their window of opportunity, the attackers behind these campaigns employ additional techniques to obscure their final payloads. In one campaign, the phishing URL was routed through several redirect domains, then wrapped by Proofpoint\u2019s link rewriting service, and finally passed through a URL shortener, adding multiple layers of obfuscation.<\/p>\n<p>The lures of the phishing emails vary: Fake voicemail notifications with a button to access the message, alerts about messages allegedly received via Microsoft Teams, notifications about secure documents sent through the Zix Secure Message. But in every case, the final landing page, reached after a series of redirects, was a spoofed Microsoft Office 365 login page designed to harvest user credentials.<\/p>\n<p>\u201cThis campaign\u2019s abuse of trusted link wrapping services significantly increases the likelihood of a successful attack,\u201d the Cloudflare researchers said. \u201cAttackers exploit the inherent trust users place in these security tools, which can lead to higher click-through rates.\u201d<\/p>\n<p>While exploiting link-wrapping features from URL security scanners is an interesting development, the abuse of legitimate services to hide malicious payloads is neither new nor likely to disappear. Whether we\u2019re talking about humans or software inspecting links, detection should never rely solely on domain reputation. Organizations should train their employees on how to spot phishing pages if they land on them, and automated tools should use more sophisticated content detection algorithms to identify such pages.<\/p>\n<p>The Cloudflare report contains indicators of compromise and email detection fingerprints that can be used to build detection signatures for these campaigns.<\/p>\n<p><strong>See also:<\/strong><\/p>\n<p><a href=\"https:\/\/www.csoonline.com\/article\/3850783\/11-ways-cybercriminals-are-making-phishing-more-potent-than-ever.html\">11 ways cybercriminals are making phishing more potent than ever<\/a><\/p>\n<p><a href=\"https:\/\/www.csoonline.com\/article\/537540\/9-tips-to-prevent-phishing.html\">9 tips to prevent phishing<\/a><\/p>\n<p><a href=\"https:\/\/www.csoonline.com\/article\/569867\/9-top-anti-phishing-tools-and-services.html\">10 top anti-phishing tools and services<\/a><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Attackers are exploiting the URL wrapping practices of email security services to conceal phishing links and lend credibility to their malicious campaigns. Email security services often rewrite email message URLs to route them through an intermediary domain for scanning. While redirecting links through URL scanning services may seem counterintuitive, attackers take advantage of the delay [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":4200,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-4199","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4199"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4199"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4199\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/4200"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4199"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4199"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4199"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}