Quote:Threat actors were already abusing URL rewriting mechanisms in phishing campaigns to mask malicious domains.

URL rewriting is designed to protect users by replacing original links with security-vendor URLs that scan destinations at click time.

These rewritten links route traffic through the provider’s infrastructure so they can analyze the page in real time, block known malicious sites, and log user activity for administrators. In normal operation, this is a defensive layer that helps filter out obviously bad destinations.​

Threat actors, however, are turning this model on its head. By operating from compromised mailboxes that already use URL rewriting, they generate “pre-wrapped” safe links and then reuse those trusted-domain URLs in external phishing campaigns.

Example of an original phishing link (Source : LevelBlue

SpiderLabs).The end result is a phishing link that visually and technically appears to belong to a reputable security or productivity provider, even though it eventually leads to a credential-harvesting site.

From late 2024 into 2025, LevelBlue SpiderLabs observed a sharp rise in multi-layered URL rewriting chains, where attackers nest multiple already‑rewritten links together.

Continue Reading...