Attackers exploit Safe Links rewriting to hide phishing destinations

Security researchers report that threat actors are abusing email security link-rewriting features to conceal phishing infrastructure and bypass automated defenses.

What happened

Security researchers have identified a wave of phishing campaigns that abuse email security link rewriting systems, a feature meant to protect users by checking links before they are opened. According to CyberPress, attackers found that once a malicious link passes through this system, it gets wrapped inside a trusted security vendor domain, which makes it look safe to both scanners and users. Threat actors take advantage of this by first sending malicious links from compromised internal email accounts so the company’s security system rewrites and “approves” the link, then reusing that trusted version in larger phishing campaigns. Researchers say this method has developed into intricate redirect chains, where a link passes through multiple security systems in sequence, including Cisco, Trend Micro, Barracuda Networks, and Sophos, making it harder for automated tools to detect the final malicious destination.

Going deeper

URL rewriting is widely used in secure email gateways and web filters, where links in emails are replaced with a vendor-controlled redirect that checks the safety of a website when a user clicks it. Attackers have learned to exploit this by chaining multiple rewritten links together, so a phishing link passes through several security systems and appears to come from trusted providers. The technique is often combined with an adversary in the middle phishing kit, which is a tool that secretly sits between the user and the real website to intercept login data. These kits capture usernames, passwords, and session cookies, which are small pieces of data that keep users logged in, in real time, allowing attackers to bypass multi-factor authentication and keep access to compromised accounts.

What was said

Security researchers analyzing the campaigns reported that attackers are exploiting defensive technologies, meaning security tools, to hide malicious infrastructure, or the systems used to run attacks. Analysts noted that the use of nested security links, where one link redirects through multiple layers, creates a situation where “every hop in the chain utilizes a trusted, security-branded domain,” making it harder for automated scanners, which are tools that check links for threats, to detect the final destination. The finding was published in a study examining phishing campaigns that used rewritten Safe Links, a feature that scans and rewrites URLs for safety, and other vendor redirect services, which reroute users through security systems, during late 2025 and early 2026, and no direct quote from affected email security vendors was included in the original disclosure.

In the know

According to GBHackers, attackers using the Sneaky2FA phishing as a service framework are applying similar redirect chaining techniques by hiding phishing links inside attached HTML files, which are web page files. These links are routed through multiple trusted services, including Barracuda, Sophos, and Cisco URL rewriting systems, before reaching a final malicious destination, making the link appear safe at each step. The chain ultimately leads to a fake Microsoft 365 login page designed to steal credentials. Like other campaigns abusing URL rewriting, Sneaky2FA uses adversary in the middle techniques, where attackers intercept login sessions to capture credentials and session tokens, allowing them to bypass multi-factor authentication and take over accounts.

The big picture

Reporting from TechRadar on similar campaigns shows how attackers use trusted infrastructure, meaning legitimate platforms and services people already trust, to disguise phishing activity at scale, with more than 40,000 emails targeting over 6,000 organizations in one case. The report noted that campaigns “exploited legitimate URL redirect services to obfuscate malicious links,” meaning attackers hide the real destination of a link by routing it through a trusted service, and that attackers are “abusing trusted infrastructure… to mask the true destination of phishing URLs.” The pattern shows a new common technique where security tools and well-known platforms are repurposed as part of the attack chain, making phishing campaigns harder to detect and more convincing to users.

FAQs

What is URL rewriting in email security systems?

URL rewriting replaces links in incoming emails with a security vendor’s redirect link, allowing the system to scan the destination website in real time before the user reaches it.

How do attackers exploit rewritten links?

Attackers generate a trusted rewritten link by sending a malicious URL through an organization’s security gateway, then reuse that link in phishing campaigns so it appears to originate from a trusted domain.

What is an adversary in the middle phishing attack?

An adversary in a middle-attack scenario places a malicious proxy between the victim and the legitimate login service, capturing credentials and authentication tokens as the victim attempts to sign in.

Why do redirect chains make phishing harder to detect?

Each redirect layer uses a legitimate domain, which makes it difficult for automated scanners to trace the full path to the final malicious website.

How can organizations reduce the risk of these attacks?

Organizations can combine phishing-resistant authentication, behavioral monitoring, and user awareness training to detect suspicious authentication flows and reduce reliance on static link scanning.