Phishing - Attackers Use URL Rewriting to Evade Detection
Basically, phishers trick security systems by using safe links to steal your information.
Phishing attackers have weaponized safe links through URL rewriting. Targeting Microsoft 365 users, these tactics enable credential theft. Organizations must enhance their defenses against this evolving threat.
What Happened
Phishing attackers have discovered a new method to bypass security measures. They are exploiting a feature called URL rewriting, which is designed to protect users by changing links in emails to safe versions. However, attackers have turned this feature against its intended purpose. By using compromised accounts, they generate links that appear safe but lead to malicious sites. This tactic has evolved into a multi-layered approach, making it harder for automated systems to detect the true nature of the links.
Between 2025's second and fourth quarters, analysts noted a significant increase in this tactic. Attackers transitioned from single-layer to multi-layered URL rewriting chains, utilizing multiple trusted vendor domains. This complexity allows them to evade detection by security systems, which often only check the first few layers of a link. As of early 2026, these campaigns remain active and pose a serious threat to organizations relying on traditional security measures.
Who's Being Targeted
The primary targets of these phishing campaigns are users of Microsoft 365. The attackers utilize platforms like Tycoon2FA and Sneaky2FA to launch their operations. These platforms employ adversary-in-the-middle techniques to capture credentials and session cookies in real time. Once attackers gain access to a compromised account, they can manipulate mailbox rules, initiate internal phishing campaigns, and even deploy ransomware.
The Tycoon2FA campaign is a notable example of this threat. Victims received emails impersonating Microsoft, containing links that went through multiple vendor layers before reaching a malicious site. This sophisticated approach significantly increases the chances of successful phishing attacks, as automated detection tools are often fooled by the trusted vendor domains.
Signs of Infection
Identifying these phishing attempts can be challenging. Victims may receive emails that appear legitimate, often themed around document requests or other common business communications. Links in these emails can be excessively long, containing multiple redirects through trusted domains. For instance, a link could pass through five different security vendors before leading to a phishing site.
Organizations should be vigilant for unusual email behavior, especially those that prompt unexpected authentication requests. Employees need to be trained to recognize these signs and understand that a familiar domain does not guarantee safety. Monitoring for emails that contain links with multiple rewriting services is crucial for early detection of such attacks.
How to Protect Yourself
To combat these sophisticated phishing tactics, organizations should adopt stronger security measures. Implementing phishing-resistant multi-factor authentication methods, such as hardware security keys, can significantly reduce the risk of session cookie theft. Additionally, security teams should deploy behavioral detection controls that flag emails with suspicious URL chains.
Awareness training is essential. Employees must learn to question unexpected prompts for authentication, regardless of how legitimate they may appear. Reporting suspicious emails promptly to the security team can help mitigate risks. As phishing tactics evolve, continuous education and robust security practices will be vital in protecting sensitive information.
Cyber Security News