.png)
Barracuda have recently identified a new tactic criminals are using to hide malicious phishing links by abusing URL protection services, recent campaigns have abused 3 different protection services designed to make credential harvesting websites appear more legitimate.
Whenever a URL is included in an email, the protection service will copy it, rewrite it, then embed the original URL within the rewritten one. If the email recipient clicks on a protected link, an email security scan of the original URL is triggered. If the scan finds no issues, then the user is sent through to site but if the scan suspects something malicious, it will block the user from accessing the site.
Threat actors can exploit this by compromising accounts to gain access to the URL protection service and then and leverage it to re-write their own phishing URLs. This is commonly used in conversation hijacking in which attacks will impersonate vendors and continue conversations or create new ones using intel gathered from reading through previous conversations to deliver phishing links.
The researchers said that URL protection providers may not be able to validate whether the redirect URL being used by a specific customer is really being used by that customer or by an intruder who has taken over the account. It is believed that by leveraging this service, victims are more likely to click malicious links as they are lulled into a fake sense of security thanks to the URL protection service.
These attacks come off the back of other reports of increased use of QR codes in phishing campaigns so that victims use a third party (shadow IT) device to access the link which allows attackers to circumvent protections put in place by the organisation.
To learn more about how you can protect your organisation from phishing campaigns, you can read the NCSC guidance on the subject which includes detailed mitigation advice: Phishing attacks: defending your organisation - NCSC.GOV.UK
Comments