Priya Patel
TLDR: Threat Actors Ramp Up Use of Encoded URLs to Bypass Secure Email
Key Points:
- Secure email gateways are being used by threat actors to encode malicious URLs and bypass email defenses.
- There has been a significant increase in the use of this tactic in the second quarter of this year.
Security researchers from Cofense have observed an uptick in attacks where threat actors are encoding or rewriting malicious URLs in emails to bypass secure email gateways (SEG). Some SEGs are not properly vetting these URLs, allowing them to pass through undetected. The tactic involves encoding URLs by rewriting them to point to the sender’s SEG system, which may not always scan them accurately.
While threat actors have used SEG encoding in the past, there has been a substantial increase in its use this year, particularly in May. The four email security gateways most abused by threat actors using this tactic are VIPRE Email Security, Bitdefender LinkScan, Hornet Security Advanced Threat Protection URL Rewriting, and Barracuda Email Gateway Defense Link Protection.
Protecting against this tactic can be challenging as most SEGs do not have tuning methods for ignoring other SEG encodings. The best defense remains user awareness and training to prevent users from clicking on suspicious links in emails, even if they are encoded by SEGs.
It is important for organizations to be aware of this tactic and take steps to educate their users on identifying and avoiding malicious emails that may bypass secure email gateways using encoded URLs.
