Bypassing Legacy SEGs: How Attackers Exploit URL Rewriting to Hack M365 Accounts

URL rewriting is a security measure commonly used by email security platforms to scan and rewrite links in emails to ensure they are safe before the recipient clicks on them. While this technique is effective in blocking many malicious URLs, threat actors are continually evolving their tactics to exploit these defenses. One such method involves abusing the legitimate URL rewriting process to bypass detection and deliver malicious content to unsuspecting users.

In the following real-world example, attackers abused a legitimate rewriting service, to evade a second URL rewriting service, to facilitate an OAuth compromise within a Microsoft 365 (M365) environment. By manipulating rewritten URLs from trusted email security systems, the attackers successfully gained unauthorized access, demonstrating how traditional security measures can be exploited and why organizations should adopt a modern solution.

Step 1: Email Account Compromise

In the first step of the attack, the threat actor compromises an email account belonging to a customer of an email security solution that leverages URL rewriting (not the target of the actual email attack presented hereafter). The threat actor then sends an email to that same compromised account containing a novel URL, which will get rewritten rather than blocked. When the threat actor has that rewritten URL, a new email is sent from the compromised account to the threat actor’s next victims containing that rewritten URL.

The email from the compromised account passes all traditional sender authentication methods and contains a novel URL that has been rewritten by a legitimate security vendor. This combination of factors allows it to bypass the current security solution. When run through the Abnormal platform, however, the email address is flagged as a credential phishing threat, impersonating Microsoft.

Step 2: Sending the Email from the External Compromised Account

The threat actor sends an email impersonating a Microsoft informational alert. Because this message originates from a legitimate account, passes email authentication, and contains a novel, rewritten URL from a legitimate security control, the victim’s secure email gateway (SEG) delivers the message and rewrites the already-rewritten URL.

Here is the original URL, a bit redacted: hxxps://[seg_rewrite_redacted]__hxxps://us01[.]z[.]antigena[.]com[redacted]

We can see the SEG-rewritten version of the other vendor’s rewritten URL.

Unwrapped, this is the original URL that was sent in this inbound threat: hxxps://us01[.]z[.]antigena[.]com/l/[redacted]

Which ultimately resolves to this location: hxxps://us[.]services[.]docusign[.]net/webforms-ux/v1.0/[redacted]

Step 3: Sending Rewritten Payloads to Evade SEG Detection

After the message is delivered, like many instances of modern phishing, there are a number of legitimate services being abused, in tandem with multiple points of required victim interaction to obfuscate the eventual payload, and ultimately bypass traditional email security controls, such as sandboxing:

Abnormal detects the attack in real time. However, the email is still in the inbox as Abnormal is configured in a read-only state for this client’s Proof of Value.

Step 4: Double-Rewritten URL + 302 Redirect Chain

The victim’s SEG solution checks the originally rewritten URL at the time of click but doesn’t recognize it as malicious. It then issues a 302 redirect, sending the user to the abused Docusign service.

At this point, the user has to:

• Click “VERIFY THAT YOU’RE human”

• Click “Submit”

• Click “Done”

Step 5: Hijacking M365 Account Using OAuth Exploit

Then, the user is redirected to another site and must solve a CAPTCHA. After this, they are prompted to allow the installation of an OAuth application. This grants the attacker permission to access their M365 account.

Instead of a traditional phishing attack, the user unknowingly installs an add-on that gives the attacker ongoing access to the account, even if the user changes their password. The only way to stop this access is by removing the add-on from the account.

This real-world attack demonstrates the increasing sophistication of email-based threats, particularly those leveraging URL rewriting and OAuth permissions to bypass traditional security measures. To effectively combat these evolving threats, organizations must adopt a layered defense strategy that includes robust monitoring of OAuth permissions and regular review of add-ins to prevent unauthorized access.

To stay ahead of these sophisticated threats, organizations should consider adopting AI-powered solutions like Abnormal, which can detect and block advanced attacks that traditional security tools miss. By integrating AI-driven systems, businesses can enhance their security posture and proactively protect against emerging cyber risks in their cloud environments.

Interested in seeing how Abnormal can protect your organization from advanced attacks like this? Schedule a demo today!