Successful hacks rarely spell out what’s about to happen.

Instead, hackers rely on deceptive social engineering tactics. The idea is to get you to think you’re doing something legitimate but is, in fact, not. 

One way to do that is through obfuscation. By hiding the true intent of the email, it may be more likely that a security scanner thinks it is clean and that an end-user engages with it.

One way to do that is to use something expected–like a picture–and hide the malicious stuff behind it.

In this Attack Brief, researchers at Avanan, a Check Point Software company, will discuss how hackers hide malicious links within pictures to redirect users to phishing sites. 


In this attack, hackers hide links within pictures. 

  • Vector: Email
  • Type: Malicious Link
  • Techniques: Picture in Picture,  Obfuscation
  • Target: Any end-user


Email Example 


This is a fairly standard email. It’s a fake message from Kohl’s, showing that the user has been chosen to participate in their free Loyalty Program. However, the URL has nothing to do with Kohl’s. 


Same thing here. It’s a relatively convincing-looking image of a Delta gift card offer. But again, the URL doesn’t point to Delta.

Both URLs are, in fact, somewhat similar.

When clicking on it, users are redirected to classic credential harvesting pages. 

Behind the picture is the URL—even legitimate brand pictures link to a page. Most marketing emails work that way. There will be a nice-looking promotional image, and the link will go to the intended page.

However, the intended page has nothing to do with Delta or Kohl's and everything to do with stealing your information. 


Obfuscation is a gift to hackers. It allows them to pull off a magic trick. It works by hiding the true intent of their message. 

In this case, it’s a picture. The picture is meant to entice the user to click. Who wouldn’t want a $1,000 Delta Gift Card?

They hope the user will be intrigued enough not to hover over the URL and see that it doesn’t match. An eagle-eyed user would see that and immediately know something is amiss.

And they're also hoping that the URL filters will be confused too. It'll look clean if they aren’t scanning within the image. This is a fairly common method. Often, hackers will happily link a file, image, or QR code to something malicious. You can see the true intention by using OCR to convert the images to text or parsing QR codes and decoding them. But many security services don’t or can’t do this.  

In this case, the email seems legitimate. Standard things like the sender's address and the link are off. But it’s a reasonably convincing spoof of Delta and Kohl’s, legitimizing the illegitimate act.

That the URL is hidden behind the picture makes things much more challenging. 

Best Practices: Guidance and Recommendations

To guard against these attacks, security professionals can do the following:

  • Implement security that looks at all URLs and emulates the page behind it
  • Leverage URL protection that uses phishing techniques like this one as an indicator of an attack
  • Leverage AI-based, anti-phishing software capable of blocking phishing content across the entirety of the productivity suite.