urldefense.proofpoint.com and url.emailprotection.link (Intermedia).”Link wrapping is designed by vendors like Proofpoint to protect users by routing all clicked URLs through a scanning service, allowing them to block known malicious destinations at the moment of click,” Cloudflare researchers wrote in their report on the attacks. “While this is effective against known threats, attacks can still succeed if the wrapped link hasn’t been flagged by the scanner at click time.”Recipients of these rogue emails are more likely to click on wrapped links, assuming they’ve already been vetted by security services. At the same time, reputation-based spam filters may fail to block such links, as they appear to point to trusted domains. To maximize their window of opportunity, the attackers behind these campaigns employ additional techniques to obscure their final payloads. In one campaign, the phishing URL was routed through several redirect domains, then wrapped by Proofpoint’s link rewriting service, and finally passed through a URL shortener, adding multiple layers of obfuscation.The lures of the phishing emails vary: Fake voicemail notifications with a button to access the message, alerts about messages allegedly received via Microsoft Teams, notifications about secure documents sent through the Zix Secure Message. But in every case, the final landing page, reached after a series of redirects, was a spoofed Microsoft Office 365 login page designed to harvest user credentials.”This campaign’s abuse of trusted link wrapping services significantly increases the likelihood of a successful attack,” the Cloudflare researchers said. “Attackers exploit the inherent trust users place in these security tools, which can lead to higher click-through rates.”While exploiting link-wrapping features from URL security scanners is an interesting development, the abuse of legitimate services to hide malicious payloads is neither new nor likely to disappear. Whether we’re talking about humans or software inspecting links, detection should never rely solely on domain reputation. Organizations should train their employees on how to spot phishing pages if they land on them, and automated tools should use more sophisticated content detection algorithms to identify such pages.The Cloudflare report contains indicators of compromise and email detection fingerprints that can be used to build detection signatures for these campaigns.See also:
11 ways cybercriminals are making phishing more potent than ever9 tips to prevent phishing10 top anti-phishing tools and services
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4032323/attackers-wrap-phishing-links-through-url-scanning-services-to-bypass-detection.html
