Attackers abuse URL protection services to hide phishing links in emails

When users then click on the rewritten link, the server runs a check to see if the link points to a known phishing or malware website and based on the result, either blocks access to it or redirects the request to the final destination. The benefit is that if a website is flagged as malicious at a later time, all rewritten links pointing to it will stop working, delivering protection to all users.

However, the success of this approach in practice is debatable and it has downsides too. First, this breaks cryptographic email signatures because the secure email gateway modifies the original email by changing the link. Then, the rewritten links obfuscate the real destinations, which in some cases could be obviously suspicious just by looking at them.

For example, Microsoft offers this feature under the name Safe Links for Office 365 users, where links in incoming emails and messages in apps like Outlook and Teams are rewritten to na01.safelinks.protection.outlook.com/?url=[original_URL] and this feature has been criticized in the past by security companies for not actually performing dynamic scans or for being easy to bypass with traffic redirection based on IP — Microsoft’s IP addresses are publicly known — or by using open redirect URLs from legitimate and trusted domains.