chat
expand_more

Bypassing Legacy SEGs: How Attackers Exploit URL Rewriting to Hack M365 Accounts

Explore how attackers exploit rewritten URLs to gain unauthorized access, highlighting traditional security vulnerabilities and the need for modern tools.
October 4, 2024

URL rewriting is a security measure commonly used by email security platforms to scan and rewrite links in emails to ensure they are safe before the recipient clicks on them. While this technique is effective in blocking many malicious URLs, threat actors are continually evolving their tactics to exploit these defenses. One such method involves abusing the legitimate URL rewriting process to bypass detection and deliver malicious content to unsuspecting users.

In the following real-world example, attackers abused a legitimate rewriting service, to evade a second URL rewriting service, to facilitate an OAuth compromise within a Microsoft 365 (M365) environment. By manipulating rewritten URLs from trusted email security systems, the attackers successfully gained unauthorized access, demonstrating how traditional security measures can be exploited and why organizations should adopt a modern solution.

Breaking Down a Recent URL Rewriting Abuse Attack

Step 1: Email Account Compromise

In the first step of the attack, the threat actor compromises an email account belonging to a customer of an email security solution that leverages URL rewriting (not the target of the actual email attack presented hereafter). The threat actor then sends an email to that same compromised account containing a novel URL, which will get rewritten rather than blocked. When the threat actor has that rewritten URL, a new email is sent from the compromised account to the threat actor’s next victims containing that rewritten URL.

The email from the compromised account passes all traditional sender authentication methods and contains a novel URL that has been rewritten by a legitimate security vendor. This combination of factors allows it to bypass the current security solution. When run through the Abnormal platform, however, the email address is flagged as a credential phishing threat, impersonating Microsoft.

Step 2: Sending the Email from the External Compromised Account

The threat actor sends an email impersonating a Microsoft informational alert. Because this message originates from a legitimate account, passes email authentication, and contains a novel, rewritten URL from a legitimate security control, the victim’s secure email gateway (SEG) delivers the message and rewrites the already-rewritten URL.

URL 1

Here is the original URL, a bit redacted: hxxps://[seg_rewrite_redacted]__hxxps://us01[.]z[.]antigena[.]com[redacted]

We can see the SEG-rewritten version of the other vendor’s rewritten URL.

Unwrapped, this is the original URL that was sent in this inbound threat:
hxxps://us01[.]z[.]antigena[.]com/l/[redacted]

Which ultimately resolves to this location:
hxxps://us[.]services[.]docusign[.]net/webforms-ux/v1.0/[redacted]

Step 3: Sending Rewritten Payloads to Evade SEG Detection

After the message is delivered, like many instances of modern phishing, there are a number of legitimate services being abused, in tandem with multiple points of required victim interaction to obfuscate the eventual payload, and ultimately bypass traditional email security controls, such as sandboxing:

URL 2

Abnormal detects the attack in real time. However, the email is still in the inbox as Abnormal is configured in a read-only state for this client’s Proof of Value.

Step 4: Double-Rewritten URL + 302 Redirect Chain

The victim’s SEG solution checks the originally rewritten URL at the time of click but doesn’t recognize it as malicious. It then issues a 302 redirect, sending the user to the abused Docusign service.

URL 3

At this point, the user has to:

  • Click “VERIFY THAT YOU’RE human”

  • Click “Submit”

  • Click “Done”

URL 4

Step 5: Hijacking M365 Account Using OAuth Exploit

Then, the user is redirected to another site and must solve a CAPTCHA. After this, they are prompted to allow the installation of an OAuth application. This grants the attacker permission to access their M365 account.

URL 5

Instead of a traditional phishing attack, the user unknowingly installs an add-on that gives the attacker ongoing access to the account, even if the user changes their password. The only way to stop this access is by removing the add-on from the account.

Strengthening Defenses Against URL Rewriting Abuse

This real-world attack demonstrates the increasing sophistication of email-based threats, particularly those leveraging URL rewriting and OAuth permissions to bypass traditional security measures. To effectively combat these evolving threats, organizations must adopt a layered defense strategy that includes robust monitoring of OAuth permissions and regular review of add-ins to prevent unauthorized access.

To stay ahead of these sophisticated threats, organizations should consider adopting AI-powered solutions like Abnormal, which can detect and block advanced attacks that traditional security tools miss. By integrating AI-driven systems, businesses can enhance their security posture and proactively protect against emerging cyber risks in their cloud environments.

Interested in seeing how Abnormal can protect your organization from advanced attacks like this? Schedule a demo today!

Schedule a Demo
Bypassing Legacy SEGs: How Attackers Exploit URL Rewriting to Hack M365 Accounts

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B SOC Prod
Learn how AI-driven automation boosts SOC productivity by reducing false positives, addressing skills gaps, and enhancing threat detection. Discover strategies to future-proof your SOC and strengthen cybersecurity defenses.
Read More
B Proofpoint Customer Story F500 Insurance Provider
A Fortune 500 insurance provider blocked 6,454 missed attacks and saved 341 SOC hours per month by adding Abnormal to address gaps left by Proofpoint.
Read More
B Malicious AI Platforms Blog
What happened to WormGPT? Discover how AI tools like WormGPT changed cybercrime, why they vanished, and what cybercriminals are using now.
Read More
B MKT748 Open Graph Images for Cyber Savvy 7
Explore insights from Brian Markham, CISO at EAB, as he discusses cybersecurity challenges, building trust in education, adapting to AI threats, and his goals for the future. Learn how he and his team are working to make education smarter while prioritizing data security.
Read More
B Manufacturing Industry Attack Trends Blog
New data shows a surge in advanced email attacks on manufacturing organizations. Explore our research on this alarming trend.
Read More
B Dropbox Open Enrollment Attack Blog
Discover how Dropbox was exploited in a sophisticated phishing attack that leveraged AiTM tactics to steal credentials during the open enrollment period.
Read More