Full Report
In 2024, threat actors were already abusing URL rewriting mechanisms in phishing campaigns to mask malicious domains. Between the second and fourth quarters of 2025, LevelBlue SpiderLabs identified a notable escalation in this tactic, with adversaries deliberately constructing multi‑layered URL rewriting as redirectors, chaining together multiple trusted providers to further obscure the final malicious domain and evade traditional email security controls.
Analysis Summary
# Tool/Technique: Multi-Layered URL Rewriting Abuse
## Overview
This technique involves the deliberate exploitation of "Safe Links" or URL rewriting services provided by trusted email security vendors. Attackers nest or chain multiple rewritten URLs from different legitimate providers (e.g., Microsoft Defender, Proofpoint) to create a redirect chain. The primary purpose is to bypass automated email security filters that may only inspect the first layer of a URL or fail to decode nested, trusted domains, ultimately leading the user to a phishing site.
## Technical Details
- **Type:** Technique (Phishing / Evasion)
- **Platform:** OS Agnostic; targets Web Browsers and Email Clients.
- **Capabilities:** Link obfuscation, security control evasion, reputation hijacking (leveraging the "trust" of security vendors), and multi-stage redirection.
- **First Seen:** Evolution noted in 2024; significant escalation identified between Q2 and Q4 2025.
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- **[T1566 - Phishing]**
- **[T1566.002 - Phishing: Spearphishing Link]**
- **[TA0005 - Defense Evasion]**
- **[T1564 - Hide Artifacts]**
- **[T1204.001 - User Execution: Malicious Link]**
## Functionality
### Core Capabilities
- **URL Chaining:** Embedding a malicious URL inside a trusted provider's rewriting service, which is then embedded inside *another* provider's service.
- **Reputation Masking:** Using the domain reputation of security vendors (e.g., `*.safelinks.protection.outlook.com`) to bypass Top-Level Domain (TLD) filters and blocklists.
- **Automated Sandbox Evasion:** Some automated scanners stop at the first "safe" domain, failing to follow the redirection chain to the final malicious payload.
### Advanced Features
- **Conditional Redirection:** Attackers may use these layers to filter traffic based on IP, user-agent, or geolocation before showing the final phishing page.
- **Cross-Vendor Exploitation:** Specifically targeting organizations that might use one security vendor internally but receive an email originally processed by a different vendor (e.g., a Proofpoint link forwarded into an Outlook environment).
## Indicators of Compromise
### Network Indicators
- drogaby[.]com[.]br/cgi-bin/admin/
- draineago[.]sa[.]com
- nirvaa[.]com/wrks/
- dns[.]zyntexa[.]click
- visuallogin-9889902009882[.]bretlavylaw[.]com
### Behavioral Indicators
- Multiple redirects occurring within seconds of a single click.
- URLs containing multiple "http" strings within the parameters (e.g., `https://urldefense.com/v3/url?u=https://safelinks.protection...`).
## Associated Threat Actors
- While specific named groups were not detailed in the brief, the technique is broadly used by advanced phishing syndicates and initial access brokers (IABs) targeting corporate credentials.
## Detection Methods
- **Behavioral Detection:** Inspecting email bodies for URLs that contain suspicious parameters or nested protocols (e.g., `url=`, `target=`, `dest=`) pointing to known rewriting services.
- **Recursive URL Analysis:** Security tools must be configured to recursively "unwrap" or decode nested URLs to the final destination.
- **Time-of-Click Inspection:** Utilizing advanced email gateways that re-evaluate the final destination at the moment the user clicks, rather than just upon delivery.
## Mitigation Strategies
- **User Awareness:** Educating employees that a "Safe Link" prefix does not guarantee the safety of the final destination.
- **Advanced Threat Protection (ATP):** Enabling settings that strip or inspect nested URLs and implementing "Zero-Hour" auto-purge features.
- **URL Sandboxing:** Ensuring that the security stack follows all redirects to the terminal URI and scans the resulting page content for phishing kits.
## Related Tools/Techniques
- **URL Shorteners:** (Bitly, TinyURL) often used in similar redirect chains.
- **Open Redirects:** Vulnerabilities on legitimate websites used to bounce traffic to malicious sites.
- **Living off the Land (LotL):** Using legitimate infrastructure to host or redirect malicious traffic.