Phishing campaigns using re-written links

Jul. 31, 2024

Over the last three months, Mimecast threat researchers have detected and been monitoring threat actors using rewritten links from several security solutions, including Mimecast, to mask their malicious intent. It is expected that the list of abused email security solutions will grow. While this technique is not new, the widespread adoption of this method across multiple email security solutions, especially in June, indicates the involvement of highly organized and well-resourced threat actors.

Threat actors continue to abuse legitimate tools and solutions that are generally trusted to evade detection and deceive end users. Below are a couple of examples of phishing emails used in these campaigns. These emails typically contain customized references to the target business, adding a level of sophistication to this large-scale operation. The primary intent of these emails appears to be credential harvesting, which could then be used for further attacks or sold for profit.

Example number 1

Example number 2

Flow of campaign
​

• Compromised user account as a result of a variety of attack methods, provides the threat actor a means to generate rewritten links. 
• An email containing a malicious link is sent to the compromised account(s) which uses the email security solution to re-write the URL. 
• The threat actor uses the compromised account to test whether the malicious URL is detected.
• If URL is not detected, the rewritten URL is inserted into their phishing templates and sent to their targets.
• Campaigns have been observed from different email sources, compromised accounts, email security solutions and manually created domains. 

Mimecast protection
​

• We have identified several attributes in the campaigns using Mimecast rewritten links which have been added to our detection capabilities.
• We continue to monitor any customer accounts that may have been compromised and ensure the necessary actions are taken.

Targeting:
​

Global, All Sectors

Abused services identified: 

Any email security solution that rewrites links can potentially be abused in this type of campaign, and the list of identified abused services at present is expected to grow:

• Mimecast: url.uk.m.mimecastprotect.com
• Barracuda: linkprotect.cudasvc.com
• Proofpoint: urldefense.proofpoint.com
• Darktrace: us01.z.antigena.com
• Intermedia: url.emailprotection.link
• TitanHq: linklock.titanhq.com
• Bitdefender: linkscan.io
• Hornet Security: atpscan.global.hornetsecurity.com
• Viper Security: url2.mailanyone.net
• Topsec: scanner.nextgen.topsec.com

Subject Lines:

Multiple variations exist

• Timesheet Report Submission Deadline cc08618ea37625e4f9f7b330bded9dc3
• Severity alert has been triggered
• Past Due Notice
• Reaction Daily Digest July 22, 2024 at 04:08:27 PM
• Document shared with you

Recommendations
​

• Ensure your spam scanning policy is set to the recommended Moderate setting.
• Enable device enrolment within TTP URL Protect which ensures the spread of any URL's created for use in the campaign is greatly reduced.
• Search through your TTP URL Protect logs to determine if any of the abused services have been accessed by your users.
• Review the authentication logs (Mimecast, Microsoft Entra, ADFS etc) associated with the users who interacted with the abused URLs to determine if there is a potential compromise.
• Ensure any compromised accounts are investigated, resolved immediately and monitoring is put in place to detect any unusual activity.
• Educate end users around the continued trend of legitimate tools being used in malicious campaigns.