Weaponizing Safe Links: Abuse of Multi-Layered URL Rewriting in Phishing Attacks

In 2024, threat actors were already abusing URL rewriting mechanisms in phishing campaigns to mask malicious domains. Between the second and fourth quarters of 2025, LevelBlue SpiderLabs identified a notable escalation in this tactic, with adversaries deliberately constructing multi‑layered URL rewriting as redirectors, chaining together multiple trusted providers to further obscure the final malicious domain and evade traditional email security controls.

Let’s examine these techniques and show real-world campaigns delivered through phishing-as-a-service platforms such as Tycoon2FA and Sneaky2FA, showing how multi‑layered URL rewriting has become such a prevalent tactic in today’s phishing landscape.

What is URL Rewriting?

URL rewriting is a security feature commonly used in email security gateways, secure email providers and web filtering platforms to protect users from harmful links. When a message arrives containing a URL, these systems replace the original URL with a vendor-generated link that routes the user through the vendor’s security-scanning servers at the time the URL is clicked.

This allows the system to:

• Analyze the URL’s destination in real time

• Block access if the site is malicious

• Provide administrators with visibility into user activity

For example, a phishing email may contain a link such as:

Figure 1. Example of an original phishing link.

After URL rewriting, the link could appear as:

Figure 2. Example of a modified URL after being rewritten by a service provider.

Phishers Abusing URL Rewriting Services

URL rewriting is all well and good, providing a handy security check. However, these systems can be, and are, abused. We have seen phishing links utilizing vendor rewriting that threat actors likely generated when operating from within compromised email accounts that had URL rewriting services enabled.

By utilizing a compromised account, the attacker sends a malicious URL to themselves or a secondary controlled account. The internal security system automatically "rewrites" the link, wrapping it in the provider’s trusted domain. If the chain is not detected by these services, the attacker exports this "safe" link for use in broad phishing campaigns.

So far, here’s a list of abused URL rewriting services we observed:

The Emergence of Multi-Vendor, Multi-Layered URL Redirect Chains

Threat actors have increasingly adopted multi-vendor chained redirection in their phishing campaigns. Earlier activity typically relied on a single rewriting service, but newer campaigns stack multiple layers of already‑rewritten links. This nesting makes it significantly harder for security platforms to reconstruct the full redirect path and identify the final malicious destination.

The following phishing URL demonstrates this technique. In this case, the link passed through six consecutive rewrite redirects generated by four separate security vendors: Cisco, Trend Micro, Barracuda, and EdgePilot.

Figure 3. Example of a phishing redirect chain using multi‑vendor, multi‑layered URL rewriting: cisco.com → trendmicro.com → cisco.com → trendmicro.com → cudasvc.com → edgepilot.com

Figure 4. Chart showing sampled phishing email numbers per month that utilize multi-layered URL rewriting (≥ 2 services).

As shown in Figure 4, campaigns using at least two URL rewriting service providers were rare in 2024, first appearing in Q2. The malicious use of multi-layered URL rewriting expanded throughout 2025, which surged in the final quarter. Early 2026 already shows high activity, suggesting that these campaigns remain active and persistent.

Figure 5. Chart showing sampled phishing email numbers per month that utilize s multi-layered URL rewriting (≥ 3 services).

Threat actors began employing three or more URL rewriting services only in mid-2025 (Figure 5), with activity increasing steadily throughout the year and peaking in January 2026. This escalation highlights a clear shift toward deeper and more complex redirect chains.

Taken together, these trends illustrate an increasing preference among attackers for layered redirection to evade detection.

Case Studies

The following real-world examples illustrate how modern phishing-as-a-service (PhaaS) frameworks, including Tycoon2FA and Sneaky2FA operationalize multi-layered redirect chains and trusted-domain abuse to target Microsoft 365 users.

Both frameworks leverage the adversary-in-the-middle (AiTM) architecture to bypass multi-factor authentication (MFA). By proxying the authentication session, these kits intercept credentials and valid session cookies in real time, enabling account takeover (ATO). In enterprise environments, such compromises frequently lead to follow-on business email compromise (BEC), mailbox rule manipulation, internal phishing propagation, data exfiltration, and ransomware deployment.

Example 1: Tycoon2FA - Phishing Attack with 5-Vendor Nested Redirects

In one observed campaign, threat actors distributed a document request-themed phishing email impersonating Microsoft. The message leveraged a familiar business workflow, such as a document review or a shared file notification, to prompt user interaction.

Figure 6. Document request-themed phishing email that leads to a Tycoon2FA payload.

The embedded phishing URL is over 1,200 characters long, with the outermost security vendor hostname being urlsand.esvalabs.com operated by Libraesva. Within the encoded parameters, additional security vendor domains are visible:

• protection.sophos.com (Sophos)
• inky.com (Inky)

Other vendor domains were concealed within Base64-encoded parameters, requiring decoding to uncover the full chain.

When clicked, the redirection sequence passes through five vendor layers (Figure 7) before landing on the attacker-controlled phishing page (Figure 8). Some of these intermediate HTTP redirects occur in the background, so users typically do not see the full chain.

 Figure 7. The wrapped redirect link phishing chain: esvalabs.com → sophos.com → inky.com → edgepilot.com → cudasvc.com

In this example, by filtering network activity for HTTP 302 redirects (status-code: 302), we can easily follow the nested redirect chain. Each hop in the chain leverages a trusted, security-branded domain, which not only reinforces legitimacy in the eyes of the recipient but also limits the visibility of automated link scanners as well as URL signature detection since allintermediate host domains are trusted domains.

After the fifth hop (linkprotect.cudasvc.com), the chain finally resolves to hxxps[://]nirvaa[.]com/wrks/, a compromised website that forwards the victim to yet another page hosting a CAPTCHA challenge to filter out bots and automated tools. Once the user completes the CAPTCHA, the flow continues to a phishing site impersonating the Microsoft sign‑in page, that prompts for credentials.

Figure 8. Tycoon2FA phishing landing pages.

This campaign is part of a Tycoon2FA AITM phishing kit that we previously analyzed in earlier blogs:

• Tycoon2FA: New Evasion Technique for 2025
• Breakdown of the Tycoon Phishing-as-a-Service System
  
  

Example 2: Sneaky2FA - Phishing via HTML Attachment with Multi-Layered Link Rewriting

A recent Sneaky2FA phishing campaign impersonated a document‑signing notification, urging recipients to review supposed pending documents. In this case, the target was a law firm, and the message was framed around an amendment to an existing agreement, using contextual language to increase credibility.

Figure 9. Phishing email that leads to Sneaky2FA payload.

Unlike the previous example, this campaign delivered an HTML attachment (Figure 10) rather than embedding a hyperlink directly in the message body. In the HTML file, the phishing URL is defined in the ‘REDIRECT_URL’ variable, which is constructed using a layered URL rewriting sequence.

Figure 10. Snippet of the HTML code containing the multilayered rewritten link defined in the “REDIRECT_URL” variable.

When accessed, the link passes through three separate email security rewriting services operated by Barracuda, Sophos, and Cisco, shown in Figure 11.

Figure 11. The multi-vendor rewritten redirect link phishing chain: linkprotect.cudasvc.com -> us-west-2.protection.sophos.com -> secure-web.cisco.com

After these hops, the chain was routed to email.double.serviceautopilot.com, a legitimate marketing automation platform that attackers abuse as an additional redirector. Only after these layers did the chain resolve to the final phishing domain: visuallogin-9889902009882[.]bretlavylaw[.]com. This was a newly registered domain likely crafted to impersonate a law firm. The final landing page presented a fraudulent Microsoft login screen pre-populated with the victim’s email address.

Figure 12. Sneaky2FA landing pages targeting Microsoft 365 users.

Conclusion

The campaigns highlighted in this blog show how threat actors are increasingly abusing trusted redirect services and legitimate platforms to build multi‑layered URLs that obscure the true destination of phishing links. Its growing adoption within PhaaS ecosystems such as Tycoon2FA and Sneaky2FA underscores  its effectiveness at evading email security controls and deceiving users.

To defend against these attacks, organizations must place greater emphasis on behavioral detection, layered controls, phishing-resistant MFA and continuous monitoring to identify malicious activity hidden behind otherwise reputable domains. At the same time, user education plays a critical role. Employees should be trained to review URLs carefully, remain cautious of unexpected authentication requests, and report suspicious messages even when the links appear to originate from trusted platforms.

Levelblue MailMarshal provides protection against these URL rewriting tactics and phishing campaigns.

IOCs

• drogaby[.]com[.]br/cgi-bin/admin/
• draineago[.]sa[.]com
• nirvaa[.]com/wrks/
• dns[.]zyntexa[.]click
• visuallogin-9889902009882[.]bretlavylaw[.]com