URL obfuscation

Summary

Attackers use various URL obfuscation techniques to prevent URL-based detections from firing when a link is analysed.

This is typically used alongside trusted website hosting and domain rotation, redirection, and load balancing to bypass URL and domain-based checks and serve up a malicious domain to the user.

The most common methods used are:

• Using unauthorized URL redirects from websites allowing open redirects
• Using URL shorteners (in particular custom or uncommon shorteners that are less likely to be blocked by email providers)
• Using obfuscated URL destinations such as through URL schema obfuscation

Examples

• Example 1: Unauthorized URL redirects
• Example 2: Using the X/Twitter link shortener (t.co) to hide an AITM credential phishing payload
• Example 3: Using WhatsApp shortened URLs
• Example 4: Using custom URL shorteners
• Example 5: URL schema obfuscation — Using URL schema obfuscation and encoding to mask phishing URLs by abusing the way that browsers handle addresses including the @ symbol.
• Example 6: Attackers abuse link wrapping services to steal M365 logins.