Attackers Exploit Safe Links To Hide Phishing URLs Behind Rewriting Chains

More and more, threat actors are using email security features against the people they are meant to protect This article explores email defenses linking. . Between late 2025 and early 2026, security researchers noticed a big rise in attackers using URL rewriting tools to their advantage.

Hackers can hide bad domains and get around traditional email defenses by linking multiple trusted security links together. These layered evasion tactics are now very common on popular PhaaS platforms like Tycoon2FA and Sneaky2FA. How URL Rewriting Is Used as a Weapon URL rewriting is a common security feature in email gateways and web filters. When an email comes in, the system replaces any links in it with a "safe" link that the vendor made.

When a user clicks, their request goes through the vendor's server, which lets the system scan the destination in real time and block bad sites. But phishers have figured out how to get around this protection. An attacker can send a bad link to themselves by hacking into an internal email account.

An example of a phishing link that was made up (Source: levelblue) The internal security system automatically puts the link in the provider's trusted domain. If the scanner doesn't find the threat right away, the attacker can export this new "safe" link and use it in a lot of phishing campaigns outside of the system. This strategy has recently changed into complicated, multi-layered redirect chains.

Now, attackers use rewritten links from several security providers, like Cisco, Trend Micro, Barracuda, and Sophos, instead of just one. Because of this deep nesting, it's very hard for automated security platforms to figure out the full path and find the last bad website. This is what a service provider did to change a URL (Source: levelblue) Threat intelligence data shows that campaigns that used three or more linked security services grew quickly in late 2025 and hit all-time highs in early 2026.

Phishing campaigns in the real world This layered redirection is used by modern PhaaS platforms to steal Microsoft 365 credentials and get around multi-factor authentication (MFA). They do this by using adversary-in-the-middle (AiTM) attacks, which grab valid session cookies in real time.

Once an account is hacked, the attackers quickly move on to stealing data, sending business emails, or installing ransomware. Hackers sent fake Microsoft document requests to victims as part of a huge Tycoon2FA campaign. There were five different security vendor redirects that hid the phishing link.

Automated link scanners didn't see the danger because every hop in the chain used a trusted, security-branded domain. This chart shows the number of phishing emails that use multi-layered URL rewriting that were sampled each month (Source: levelblue). After going through the five layers, victims had to solve a CAPTCHA challenge to get past automated security bots. Then, they were taken to a fake Microsoft login page that was meant to steal their passwords.

Organizations need to go beyond traditional link scanning to stop these advanced attacks.

To find bad activity that is hidden behind trusted domains, defenders need behavioral detection, continuous network monitoring, and levelblue phishing-resistant MFA. Also, employees need to learn how to spot suspicious authentication prompts, even if the first web link looks like it came from a trusted security provider.