Threat Actors Ramp Up Use of Encoded URLs to Bypass Secure Email

Secure email gateways (SEG) do a lot to protect organizations from malware, spam, and phishing email. For some threat actors though, they also offer an attractive option for sneaking malicious mail past other SEGs.

Security researchers from Cofense this week reported observing a recent surge in attacks, where threat actors have used SEGs to encode or to rewrite malicious URLs embedded in their emails to potential victims. In many cases, when the emails arrived at their destination, SEGs allowed the malicious URLs to go through without properly vetting the link.

The SEG Versus SEG Threat

The reason, says Max Gannon, threat intelligence manager at Cofense, is that some secure email gateway products appear not to be handling SEG-encoded URLs properly and assume them to be always safe, when in reality they are not.

"We do not have access to the internals of SEGs, so I can't say for certain," Gannon says. "But they likely either implicitly trust the URLs or they attempt to scan them, but the domain of the SEG that encodes the URL is trusted, so the [receiving] SEG assumes the URL itself is legitimate."

In SEG encoding, a secure email gateway product essentially rewrites every URL in an outgoing email into a link that points to its own infrastructure. When a recipient clicks on the encoded link, the user is first directed to the sender's SEG system, which checks if the URL is safe before redirecting the user to the intended destination. The checks usually involve assessing the URL using reputation, blacklists, signatures, and other mechanisms, which means sometimes it might take an SEG days and even weeks before it designates a URL as malicious.

In these situations, problems can arise if the recipient's secure email gateway technology does not recognize an already encoded URL as needing scanning, or if the recipient's SEG scans the URL, but only sees the sending email gateway's domain and not the final destination.

"Oftentimes when SEGs detect URLs in emails that are already SEG-encoded they do not scan the URLs, or the scanning shows only the security tool's scanning page and not the actual destination," Cofense wrote in its report this week. "As a result, when an email already has SEG-encoded URLs, the recipient's SEG often allows the email through without properly checking the embedded URLs."

A Substantial Increase

Attackers have abused SEG encoding previously to sneak malicious emails into target environments. But there has been a substantial increase in use of the tactic in the second quarter of this year, May in particular. Cofense said.

According to the security vendor, the four email security gateways that threat actors have abused the most to encode URLs and sneak them past email defense mechanisms are VIPRE Email Security, Bitdefender LinkScan, Hornet Security Advanced Threat Protection URL Rewriting, and Barracuda Email Gateway Defense Link Protection.

Cofense said its researchers had observed attackers using these SEGs to encode malicious URLs in variously themed campaigns targeted at users protected by SEGs from a variety of vendors.

Gannon says some SEG encodings would require the threat actor to run their URL through the SEG. "Other encodings like Barracuda Link Protect would let you simply prepend their URL to the malicious URL you are trying to bypass with," he says. "For example, to use Barracuda Link Protect to bypass SEGs with the URL hxxp[:]//badplace[.]com/, I would simply add the Barracuda Link Protect URL and make it: hxxps://linkprotect[.]cudasvc[.]com/url?a=hxxp[:]//badplace[.]com/."

Gannon says one reason why threat actors likely aren't using the tactic on a much broader scale is because it involves additional work. "The biggest thing it comes down to is effort," he says. If a threat actor can take an hour to encode all the URLs in a campaign and reach 500 more inboxes, they could take the same hour and just find an additional 1,000 email addresses to send the campaign to."

Protecting against the tactic can be relatively difficult, as most SEGs don't have tuning methods for ignoring other SEG encodings, Gannon says. Therefore, the best way to combat the tactic remains user awareness and training. "A vigilant and informed employee is not going to click a link in a suspect email, even if the URL is encoded by a SEG."