Attackers Exploit Safe Links To Hide Phishing URLs Behind Rewriting Chains - cyberpress.org

Attackers Exploit Safe Links To Hide Phishing URLs Behind Rewriting Chains By Varshini March 17, 2026 Categories: Cyber Security NewsPhishing Threat actors are increasingly turning email security features against the very users they are designed to protect. Between late 2025 and early 2026, security researchers identified a severe escalation in attackers abusing URL rewriting mechanisms. By chaining multiple trusted security links together, hackers can successfully hide malicious domains and bypass traditional email defenses. These layered evasion tactics are now prominently featured in popular PhaaS platforms such as Tycoon2FA and Sneaky2FA. How URL Rewriting Is Weaponized URL rewriting is a standard security feature used by email gateways and web filters. When an email arrives, the system replaces any included links with a vendor-generated “safe” link. When a user clicks, they are routed through the vendor’s server, allowing the system to scan the destination in real time and block malicious sites. However, phishers have found a way to abuse this protection. By compromising an internal email account, an attacker can send a malicious link to themselves. Example of an original phishing link (Source: levelblue) The internal security system automatically wraps the link in the provider’s trusted domain. If the scanner fails to detect the threat initially, the attacker can export this newly generated “safe” link and use it in widespread external phishing campaigns. Recently, this tactic has evolved into complex, multi-layered redirect chains. Instead of exploiting a single vendor, attackers now stack rewritten links from multiple security providers, such as Cisco, Trend Micro, Barracuda, and Sophos. This deep nesting makes it incredibly difficult for automated security platforms to unravel the full path and spot the final malicious website. Example of a modified URL after being rewritten by a service provide (Source: levelblue) Threat intelligence data shows that campaigns using three or more chained security services surged in late 2025 and reached record highs in early 2026. Real-World Phishing Campaigns Modern PhaaS platforms utilize this layered redirection to steal Microsoft 365 credentials and bypass multi-factor authentication (MFA). They do this using adversary-in-the-middle (AiTM) attacks, which intercept valid session cookies in real time. Once an account is compromised, attackers quickly move to data exfiltration, business email compromise, or ransomware deployment. In one massive Tycoon2FA campaign, hackers sent fake Microsoft document requests to victims. The hidden phishing link was buried under five different security vendor redirects. Because every hop in the chain utilized a trusted, security-branded domain, automated link scanners ignored the danger. Chart showing sampled phishing email numbers per month that utilize multi-layered URL rewriting (Source: levelblue) After passing through the five layers, victims were hit with a CAPTCHA challenge to filter out automated security bots, followed by a fake Microsoft login page designed to steal their passwords. To stop these advanced attacks, organizations must move beyond traditional link scanning. Defenders need behavioral detection, continuous network monitoring, and levelblue phishing-resistant MFA to catch malicious activity hidden behind reputable domains. Furthermore, employees must be trained to recognize suspicious authentication prompts, even when the initial web link appears to come from a trusted security provider. Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google. Share Facebook Twitter Pinterest WhatsApp Varshini Recent Articles Windows 11 25H2/24H2 Update Fixes Bluetooth Visibility Problems Cyber Security News March 17, 2026 Microsoft Introduces AI-Powered Troubleshooting for Purview Data Lifecycle Management Cyber Security News March 17, 2026 Payload Ransomware Uses Babuk-Inspired Encryption In Attacks On Windows and ESXi Cyber Security News March 17, 2026 PylangGhost RAT Spread Through Malicious npm Packages In New Campaign Cyber Security News March 17, 2026 Phishers Abuse LiveChat Tools To Steal Sensitive Data In SaaS-Based Attacks Cyber Security News March 17, 2026 Related Stories Cyber Security News Windows 11 25H2/24H2 Update Fixes Bluetooth Visibility Problems AnuPriya - March 17, 2026 Cyber Security News Microsoft Introduces AI-Powered Troubleshooting for Purview Data Lifecycle Management AnuPriya - March 17, 2026 Cyber Security News Payload Ransomware Uses Babuk-Inspired Encryption In Attacks On Windows and ESXi Varshini - March 17, 2026 Cyber Security News PylangGhost RAT Spread Through Malicious npm Packages In New Campaign Varshini - March 17, 2026 Cyber Security News Phishers Abuse LiveChat Tools To Steal Sensitive Data In SaaS-Based Attacks Varshini - March 17, 2026 Cyber Security News Angular XSS Vulnerability Puts Thousands of Web Apps at Risk AnuPriya - March 17, 2026 LEAVE A REPLY Comment: Name:* Email:* Website: