Phishing attackers are subverting a critical security feature, URL rewriting, to bypass defenses and deliver malicious payloads. This tactic allows threat actors to weaponize trusted safe links, turning a defensive mechanism into a tool of deception. What was once a safeguard is now being exploited to disguise malicious content, posing a significant new threat to cybersecurity.
According to analysis from LevelBlue, threat actors have escalated their use of URL rewriting in phishing campaigns. This advanced technique involves chaining multiple vendor-provided URL rewriting services together to obscure the true destination of malicious links. The goal is to create redirect chains so deep that automated security scanners cannot trace them back to their origin, enabling attackers to evade detection filters that organizations rely on.
Multi-Layered Redirect Chains Weaponize Safe Links
URL rewriting is a security measure typically embedded in enterprise email gateways. It intercepts links within incoming emails and replaces them with vendor-generated URLs. When a user clicks these rewritten links, they are routed through the vendor’s security scanning servers before reaching their intended destination. This process is designed to allow security systems to inspect the link for malicious content.
However, threat actors have found a way to exploit this system. By operating through compromised accounts where URL rewriting is active, they can trick the system into generating pre-wrapped safe links. These links bear the trusted domain of a security vendor, making them appear legitimate and allowing for reuse across widespread phishing campaigns. This exploitation significantly undermines the effectiveness of this security feature.
LevelBlue analysts observed a notable increase in this tactic between the second and fourth quarters of 2025. Adversaries have advanced from single-layer abuse to constructing multi-layered URL rewriting chains that span several trusted vendor domains. This sophisticated approach aims to bury the malicious payload under so many trusted redirects that it becomes virtually untraceable by automated scanners.
This malicious activity has been identified within established phishing-as-a-service platforms, specifically Tycoon2FA and Sneaky2FA. Both platforms are noted for targeting Microsoft 365 users, a popular and widespread target for cybercriminals. The integration into these platforms suggests a deliberate and evolving threat designed to remain hidden behind the very security tools organizations trust.
Both Tycoon2FA and Sneaky2FA utilize an adversary-in-the-middle (AitM) architecture. This method allows them to intercept credentials and multi-factor authentication session cookies in real-time. By doing so, they can achieve account takeovers without the victim ever realizing their information has been compromised. Once inside a compromised environment, attackers can manipulate mailbox rules, launch internal phishing campaigns targeting other employees, exfiltrate sensitive data, and in severe cases, deploy ransomware.
Activity data confirms that phishing campaigns employing three or more URL rewriting services began in mid-2025 and reached a peak in January 2026. This indicates a concerted and aggressive effort by threat actors to leverage deeper redirect chains, further complicating detection and response efforts. As of early 2026, these campaigns remain active, highlighting the persistent and evolving nature of the threat.
Multi-Layered Redirect Chains in Action
The Tycoon2FA campaign provides a clear example of how this attack unfolds. In one observed instance, victims received an email themed around a document request, impersonating Microsoft. This email contained a URL exceeding 1,200 characters. When a victim clicked this lengthy link, it navigated through five consecutive vendor-managed security layers: Libraesva, Sophos, Inky, EdgePilot, and Barracuda.
After passing through these trusted vendor domains, the link ultimately led to a compromised website. This site then presented the victim with a CAPTCHA challenge, a common method to filter out automated bots. Following the successful completion of the CAPTCHA, victims were presented with a fake Microsoft sign-in page, meticulously designed to steal their credentials.
Another campaign, utilizing the Sneaky2FA platform, targeted a law firm. This attack employed an HTML attachment rather than a direct hyperlink embedded in the email body. Within the attachment, the phishing URL was concealed within a variable named REDIRECT_URL. This URL was pre-configured with a rewriting sequence involving Barracuda, Sophos, and Cisco. The chain also routed through a legitimate marketing automation platform before resolving to a newly registered domain designed to impersonate the law firm.
The fraudulent Microsoft login screen presented to the victim in the Sneaky2FA campaign also had the victim’s email address pre-filled, further enhancing the illusion of legitimacy and increasing the likelihood of credential compromise. In both observed chains, every redirect hop utilized a domain belonging to a recognized security vendor. This meant that automated scanners encountered only trusted names and typically ceased their analysis before following the complete path, precisely the outcome the attackers intended.
Organizations are advised to adopt phishing-resistant multi-factor authentication (MFA) methods, such as hardware security keys, to mitigate the risk of session cookie theft, even if credentials are compromised. Security teams should implement behavioral detection controls capable of flagging emails that contain URLs chaining through multiple rewriting services. Furthermore, employees need ongoing training to recognize that a vendor-branded URL does not inherently guarantee a safe destination and to report any suspicious emails to their security team immediately.