Phishers Abuse Safe Links With Multi-Layer URL Rewriting to Evade Detection

Cybercriminals are increasingly exploiting URL rewriting, a security feature used by enterprise email gateways, to bypass phishing detection systems. This mechanism normally replaces links in emails with vendor-generated “safe links” that route users through security scanners before opening. However, attackers are now abusing compromised accounts where URL rewriting is active to generate trusted-looking links that carry malicious destinations, allowing phishing campaigns to evade traditional security filters.

Security researchers from LevelBlue observed a major rise in these attacks between late 2025 and early 2026. Threat actors began creating multi-layered redirect chains across several trusted security vendor domains to hide the final phishing destination. These tactics are widely used by phishing-as-a-service platforms such as Tycoon2FA and Sneaky2FA, which target Microsoft 365 users and capture login credentials and multi-factor authentication session cookies through adversary-in-the-middle attacks.

In some campaigns, phishing links pass through multiple security services—including Barracuda, Sophos, and Cisco—before landing on fake login pages designed to steal credentials. Because each redirect uses trusted domains, automated scanners often stop before reaching the final malicious site. Experts recommend using phishing-resistant MFA methods, monitoring emails containing multi-layer redirect links, and training employees to verify suspicious authentication requests even when the link appears to come from a trusted vendor.

NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, FraudProtector.net