Hackers have discovered a way to exploit email URL rewriting features, which are designed to protect users from phishing threats. This new tactic has raised alarms among security experts, turning a protective measure into a vulnerability.
Email security vendors employ URL rewriting as a feature to scan links embedded in emails and block malicious content. There are two main paradigms for URL rewriting: legacy solutions that rely on rules and signatures based on known threats, and proactive solutions that scan links at the time of click using technologies like computer vision and machine learning.
Since mid-June 2024, attackers have exploited URL rewriting features to insert phishing links. This manipulation takes advantage of the trust users place in known security brands, making even the most vigilant employees more likely to click on seemingly safe links.
Attackers typically have two options: compromising email accounts or whitelisting exploitation. Compromising email accounts involves sending an email to themselves containing a “clean-later-to-be-phishing” URL. Once the email passes through the URL protection service, the link is rewritten, including the security vendor’s name and domain, giving it an extra layer of legitimacy.
Real-world examples of URL rewriting exploits include double rewrite attacks, exploiting rewritten URLs across multiple targets, Mimecast’s URL rewriting exploit, and IRS phishing attack via Sophos URL rewriting. These attacks demonstrate how attackers can manipulate URL rewriting features to insert malicious links.
To combat these sophisticated attacks, Perception Point offers Dynamic URL Analysis, which provides superior protection to traditional URL rewriting. This approach actively browses new or unknown URLs and analyzes their behavior before the email is delivered. Key features of Dynamic URL Analysis include proactive detection, advanced anti-evasion, post-delivery and meta-analysis, advanced browser security, and hack prevention.
Source: https://cybersecuritynews.com/exploit-email-url-rewriting/