Cybersecurity researchers have recently spotted hackers abusing URL protection tools to deliver phishing links to unsuspecting victims, with “hundreds of companies, if not more”, targeted.
When a person receives an email with a link, the tool will copy and rewrite it, and then embed it within a new, rewritten one. So, once the recipient clicks on that link, it triggers a security scan. In this new campaign, which most likely started in mid-May 2024, the rewritten link navigated the recipients to a phishing site.
Barracuda’s researchers don’t seem to know exactly how the hackers managed to trick the URL protection tool, but suspect it is a result of a successful business email compromise (BEC) attack. They believe the attackers first gained access to the email inbox, analyzed the security tool installed, and then sent themselves an email with the phishing link.
Difficult to detect
Since the URL protection tool will rewrite the phishing URL, they can then use that link to hide the malicious one inside. These links were sent from domains such as wanbf[.]com and clarelocke[.]com, and were designed to look like DocuSign and password reset reminders.
“Traditional email security tools may find it difficult to detect these attacks,” the researchers said in their write-up. “The most effective defense is a multilayered approach, with various levels of security that can detect and block unusual or unexpected activity, however complex. Solutions that include machine-learning capabilities, both at the gateway level and post-delivery, will ensure companies are well protected.”
Barracuda also said that no matter how advanced email protection tools are, businesses should always consider educating their employees on the latest email-borne threats, and how to spot and report them. Humans are the first, and best, line of defense, since software and automated tools, no matter how advanced, will always have workarounds.