Link wrapping as an attack vector
URL rewriting is now one of the standard technologies used in modern email security solutions. This technology promises protection against phishing attacks by rewriting URLs in incoming emails and rechecking them every time they are clicked. However, it is precisely this security feature that is increasingly being exploited by attackers – with alarming effectiveness. Link wrapping attacks have been on the rise since 2024. We explain how link wrapping attacks work and how you can protect yourself.
What is link wrapping?
When URL rewriting is enabled, the email gateway replaces all URLs in incoming messages with its own redirect links. Instead of https://example.com/beispieldokument, the recipient sees a link such as https://safelinks.protection.outlook.com/?url=https://example.com/beispieldokument. When the user clicks on it, the software checks the target URL in real time – this is often referred to as time-of-click protection.
Attackers use such rewritten links from security products and use them in their emails. Since these services and their domains are well-known and long-established, they enjoy a certain reputation – which is what makes these attacks so dangerous.
All clicked URLs are rewritten and redirected so that known malicious targets can be blocked at the time of the click. This method is effective for known threats; however, attacks can still be successful if the rewritten link has not yet been identified as dangerous at the time of the click.
Criminals go to great lengths
In many cases, it is unclear how criminals obtain the rewritten links. It is possible that the attackers themselves use a security product with URL rewriting to obtain rewritten links. They then rewrite dangerous links and send them to their victims.
It is also conceivable that criminals have gained access to a mailbox through previous successful phishing attempts, in which all incoming links are automatically rewritten by a click-time protection service. The criminals then send their own link to the compromised email address and redirect the rewritten link to use it in their own phishing campaign.
Since these are new links, they are not yet blocked, or – in the case of delayed activation – there is no malicious content on the target URL yet. Only later is the harmless page replaced by a phishing website. In these cases, the attackers often operate within a short time window: sooner or later, the abused service will also recognize the target URL and thus block access.
There is a significant risk
Stefan Cink, Director of Business and Professional Services at NoSpamProxy, also points out that there is a significant risk because if email security gateways are configured to no longer check links from known services, manipulated URLs are highly likely to end up directly in the recipient’s inbox.
In such cases, companies are dependent on the rewrite service they use to recheck the URL and, ideally, block access. However, this downstream control is not reliable enough.
NoSpamProxy solves this problem differently: 32Guards centrally evaluates rewritten links from legitimate services in the cloud. To do this, the 32Guards crawler infrastructure is used to examine all rewritten links from known URL rewriting services. As with URL shorteners, the redirects are checked.
If necessary, the entire attack chain, including the rewritten link, is immediately blocked for all 32Guards customers in the Global Threat Database. Customers of NoSpamProxy Server and NoSpamProxy Cloud who use URL Safeguard are protected retroactively, even if the email has already been delivered to the mailbox. In an ongoing spam campaign, new delivery attempts with this URL, now recognized as malicious, are immediately blocked.
How can you protect yourself?
Not yet using NoSpamProxy?
With NoSpamProxy Protection, you can reliably protect your company from dangerous phishing emails and benefit from many other security features. Request your free trial now!
