Hackers have found a way to bypass email security systems by exploiting URL rewriting functionality — a tool originally designed to protect users from malicious links. This method has raised concerns among experts, as a security measure has now become a vulnerability.

URL rewriting is a feature used to check links in emails. When a user clicks on a link, it is first redirected to a security service’s server for analysis. If the link is deemed safe, the user is taken to the target site; if not, access is blocked.

Types of URL Rewriting

- Legacy Systems: These solutions are based on known threat data and rewrite URLs for subsequent analysis. The downside is that the review process may begin only after the attack has already occurred.

- Modern Systems: These use machine learning to analyze the behavior of links in real time, which helps to detect threats early.

Many companies combine both approaches to enhance their protection.
Since mid-2024, hackers have been actively using URL rewriting to conduct phishing attacks. They take advantage of employees’ trust in seemingly safe links, making even experienced users vulnerable.

Two main methods are used:

1. Account Compromise: Attackers gain access to legitimate email accounts and send emails with malicious links. The system rewrites these links, disguising them as safe.

2.Whitelisting Exploitation: Some services automatically whitelist their URL domains. Hackers can exploit this by redirecting the user to a phishing site.
Researchers at Perception Point have observed an increase in phishing attacks using URL protection systems.

In one attack, Proofpoint and INKY systems were used. The attackers sent an email with a phishing link that was rewritten twice. Users were redirected to a phishing page mimicking a Microsoft 365 login page.

In another attack, compromised accounts protected by INKY and Proofpoint allowed hackers to target multiple companies at once.

In the case of Mimecast, attackers used the Mimecast domain to mask a phishing link, redirecting users to a site intended to steal credentials.

Key Features of Dynamic URL Analysis

- Proactive threat detection in real time.
- Protection against evasion methods such as CAPTCHA and geo-blocking.
- Post-delivery analysis: links are rechecked even after emails are delivered.
- Constant link activity monitoring.

Hackers' use of these methods highlights the importance of not only technical protection but also regular employee training. Companies should conduct cybersecurity training to help employees recognize threats, even when links appear safe. This will help minimize the risk posed by human error.

Source: Cybersecuritynews

According to Kaspersky’s research, phishing attacks on major brands have surged in 2024. Among the 25 global companies analyzed by experts, Google, Facebook, and Amazon were the top targets.

- Google faced over 4 million phishing attempts, marking a 243% increase compared to last year.

- Facebook recorded 3.7 million attack attempts, while Amazon saw approximately 3 million.

- Microsoft and DHL round out the top five with 2.8 million and 2.6 million attempts, respectively.

The total number of phishing attacks grew by 40%, reaching 26 million in the first half of 2024. Attacks on brands like Mastercard (+210%) and Netflix have also doubled in frequency.

Phishing remains a critical threat to companies. For example, gaining access to a Google account could compromise multiple services, while a successful attack on Mastercard risks stealing financial data through fake online stores.


Employee Training as a Defense Against Phishing

One of the key methods to counter phishing is regular employee training. Modern cybercriminals are using increasingly sophisticated social engineering techniques, making it crucial for staff to recognize them.

Companies that invest in cybersecurity education, such as Microsoft, have managed to reduce the number of successful attacks by improving employee awareness.

Attackers utilized Microsoft Sway, a cloud service for creating online presentations, to host phishing pages and trick Microsoft 365 users into handing over their credentials.

Researchers from Netskope Threat Labs identified this type of attack in July 2024. The number of attacks using Microsoft Sway increased by 2000 times, sharply contrasting with the low activity reported in the first half of the year.

The attacks targeted users in Asia and North America, with companies in the technology, manufacturing, and financial sectors being the primary targets.

Emails sent to victims redirected them to phishing pages hosted on the swаy.clоud.microsоft domain. There, users were instructed to scan QR codes, which then directed them to malicious websites. A key feature of these attacks is that mobile devices, often used to scan QR codes, are less secure compared to computers, allowing attackers to bypass security measures.

“QR codes often evade email scanners since the URL is embedded in an image. Users scan them with mobile devices, which tend to have weaker protection,” the researchers explained.

Additionally, hackers employed various tactics, such as transparent phishing, stealing credentials and multi-factor authentication codes to gain access to victims' accounts. They also used Cloudflare Turnist to hide phishing pages from security scanners and avoid being blocked by services like Google Safe Browsing.

Microsoft Sway had previously been abused in campaigns like PerSwaysion, which targeted Office 365 credentials and affected more than 150 high-level company employees.

The Importance of Employee Training in Cybersecurity

This incident highlights the importance of training employees in cybersecurity basics. Phishing attacks often exploit the human factor, taking advantage of user behavior or carelessness. As cyber threats grow, employees become the first line of defense. Companies must train their staff to identify suspicious emails, phishing schemes, and ensure the safe use of technology, especially mobile devices.

Regular training helps minimize the risk of successful attacks, such as phishing campaigns involving QR codes, and protects an organization’s critical data.