Rising Threat: How Encoded URLs are Evading Secure Email Gateways

In a concerning trend observed recently, threat actors are increasingly leveraging encoded URLs to bypass secure email gateways (SEGs), posing a significant challenge to email security defenses.

According to recent findings by Cofense, there has been a notable uptick in attacks where threat actors manipulate SEGs to encode or rewrite malicious URLs embedded in emails. This tactic exploits vulnerabilities in SEG technologies, allowing malicious links to slip through undetected to unsuspecting recipients.

Max Gannon, threat intelligence manager at Cofense, explains the mechanics behind SEG encoding: "Secure email gateways often rewrite URLs in outbound emails to direct them through their own infrastructure. When recipients click on these encoded links, they first pass through the sender's SEG, which checks the URL's safety before redirecting to the intended destination."

The issue arises when the recipient's SEG fails to properly scan these already encoded URLs. Instead of scrutinizing the final destination, some SEGs may overlook the scanning process altogether or only assess the sender's domain, assuming the URL to be safe based on its origin.

"Cofense's research highlights instances where SEGs do not effectively scan URLs that are already SEG-encoded, allowing potentially malicious links to evade detection," notes the report.

This method has seen a substantial increase in usage, particularly noted in the second quarter of this year. Threat actors have exploited vulnerabilities in several SEG products, including VIPRE Email Security, Bitdefender LinkScan, Hornet Security Advanced Threat Protection URL Rewriting, and Barracuda Email Gateway Defense Link Protection.

Gannon points out that while encoding URLs adds complexity to the attack, it also enhances the likelihood of successful infiltration by bypassing traditional email defense mechanisms. Despite these challenges, user awareness and training remain crucial in mitigating such threats.

"The most effective defense against encoded URL attacks is educating users to recognize and avoid clicking on suspicious links, even if they appear to come from trusted sources," advises Gannon.

As organizations continue to enhance their cybersecurity postures, solutions like Foresiet offer advanced capabilities such as stolen credentials detection, dark web surveillance, and brand protection. These proactive measures are essential in combating evolving cyber threats and safeguarding sensitive data from sophisticated attacks.

In conclusion, while SEGs play a vital role in email security, the rise in encoded URL tactics underscores the need for continuous improvement in defense strategies and user vigilance to stay ahead of malicious actors in today's digital landscape.

About Foresiet!

Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization's defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.