Phishers have devised a method to misuse a common security feature, turning it against users rather than protecting them. By manipulating URL rewriting, a mechanism in many enterprise email systems, attackers are enabling malicious content to bypass detection, using trusted safe links as their vehicle.
URL rewriting typically involves transforming links in emails to pass through security scanning servers when clicked. However, cybercriminals are exploiting this by leveraging compromised accounts where URL rewriting is enabled, creating seemingly safe links that are actually harmful. This has transformed a formerly dependable security layer into a deceptive tool.
Exploiting URL Rewriting Techniques
URL rewriting is designed to replace inbound email links with vendor-generated URLs, scrutinizing them for threats when accessed. Threat actors have capitalized on this by producing pre-wrapped safe links through compromised accounts, using them in extensive phishing schemes. These links appear trustworthy as they carry a recognized vendor domain.
LevelBlue analysts noted a rise in this tactic in 2025, observing a shift from single-layer to multi-layer URL rewriting chains across reputable vendor domains. The strategy involves creating complex redirect sequences that evade automated scanners by obscuring the true destination.
Phishing-as-a-Service Platforms
Significant activity was seen on phishing platforms like Tycoon2FA and Sneaky2FA, both targeting Microsoft 365 users. These platforms employ adversary-in-the-middle methods to capture credentials and multi-factor authentication cookies in real-time, facilitating account takeovers without user awareness.
Once inside a compromised system, attackers can manipulate email rules, initiate phishing campaigns, exfiltrate data, and potentially deploy ransomware. Campaigns using multiple URL rewriting services emerged mid-2025, peaking in early 2026, indicating a trend towards more complex redirect chains.
Defense Strategies and Recommendations
Organizations should consider adopting phishing-resistant multi-factor authentication methods, such as hardware security keys, to mitigate risks even when credentials are compromised. Security teams must implement behavior-based detection systems that identify emails with links passing through multiple rewriting layers.
Employee training is crucial, encouraging skepticism towards unexpected authentication prompts, regardless of domain familiarity. Programs should emphasize that a vendor-branded URL does not assure safety. All suspicious communications should be promptly reported to security personnel.
Stay informed by following us on Google News, LinkedIn, and X, and set CSN as your preferred source for the latest updates.
