According to a new report featured in ITWire,  URL-based dominance is a growing trend over phishing attachments and 4x more likely to reach users, particularly high-profile secure email gateways (SEGs) and API-based systems that only retract post-delivery. 

There are three popular engagement methods threat actors use when phishing URLs are utilized: Trusted Domains (cloud services), Openly Available Services (free or cheap hosting platforms), and Multiple Redirects (chains of malicious URLS). In other words, threat actors manipulate the service to access the information they seek.

One way to do this is by weaponizing these URLs. 

Many attacks detonate post-delivery, meaning they easily get by email scanners and are only dangerous after the user clicks on the link. URL rewriting, along with time-of-click analysis, allows the security solution to analyze links and block them, as necessary.

Consider a few attacks that we have observed recently.

One is the TattleToken script.

Attackers are using client-side scripts to determine the end user's IP address and altering the URL in order to hide a malicious server from email service providers and security organizations.

This effectively bypasses most post-delivery protections like O365 SafeLinks inbox retraction. Instead of putting the malicious URL in the email, hackers link to a redirect server that acts as a gateway, sending queries from a security company to a benign site. Queries from the intended victims are directed to the phishing server.

From the point of view of the security firms, the link in the email is just a simple redirect to a web server like Google. When the victim clicks on the same link, they are redirected to the malicious web server.

There's also the general umbrella of SiteCloak attacks. SiteCloak is a way to bypass the time-of-click scanning by “cloaking” the malicious website. It does this by showing a benign page to the email security solution, but a realistic-looking credential harvesting page to the victim.

Preventing such attacks means analyzing links both when the email is delivered and at click-time. This is important because some attackers enable the malicious content only after the email message has reached the inbox. Additionally, prevention means using the hacker's own obfuscation techniques as a way to identify the attack. Because the web-scanning algorithm looks for known obfuscation methods as Indicators of Attack (IoAs), these sites self-incriminate themselves by their usage of a hacking method.

It also means doing image analysis. Consider the Microsoft Sway attack. Attackers used Sway, a web app for creating presentations and landing pages, to host phishing sites. Since Sway is hosted on, it bypasses URL filters. In the attack, hackers hyperlink to a malicious file or to a spoofed login page. By using OCR to convert images to text, or to parse QR codes and identify the link, our NLP can then identify any suspicious language or malicious links. 

It also means doing attachment analysis. We saw its importance on a fairly straightforward tax-related attack that we blocked earlier in 2021.

The attackers tried to obfuscate their approach by changing the Reply-to address to, but the actual from address represents the IRS equivalent in Nigeria. By scanning all links in the attachment, we were able to determine with high confidence that the .HTML attachment was Trojan malware.  

It also means doing URL emulation. When users click on links that are replaced by Click-Time Protection, the websites behind the links are not only checked for reputation (using Check Point's URL Reputation engine), but are also emulated to detect those zero-day phishing websites.

Proper URL scanning has the following benefits:

  • Another layer of post-delivery protection

  • Anti-malware and enhanced protection for zero-day attacks, as sometimes it takes a few minutes to detect malicious emails

  • Forensics

However, not all API-based solutions offer URL scanning. Or, if they do, it's limited in nature. 

Implementing proper URL scanning that can detect the attacks like the ones mentioned above is a crucial part of any security structure.