URL protection services are designed to protect users from visiting malicious websites via a phishing link. Whenever a URL is included in an email, the service will copy it, rewrite it, then embed the original URL within the rewritten one.

If the email recipient clicks on this “wrapped” link, an email security scan of the original URL is triggered. If the scan is clear, the user is redirected to the URL. If not, they are blocked from entering the original URL.

How URL Protection Services Are Exploited

In these novel attacks, threat actors gain entry to the URL protection service via compromised accounts, and leverage it to re-write their own phishing URLs, thereby concealing their malicious nature – essentially turning the service on itself.

This enables them to impersonate the account owners and infiltrate and examine their email communications as well as sending emails from the compromised account. This tactic is known as conversation hijacking.

In addition, threat actors will be able to determine whether a URL protection service is being used by analyzing links in emails connected to the account or in the user’s email signature.

To leverage the URL protection to rewrite their own phishing URLs, the researchers noted the attackers would either need to have access to internal systems to get the phishing URL rewritten, which is “exceedingly rare,” or more likely, send an outbound email to themselves using the compromised accounts, with the phishing link included in the message.