What happened
Researchers from Level2 Analysts identified a phishing technique that abuses Microsoft Safe Links by embedding malicious destinations inside multi-layered URLs to evade detection. Attackers craft emails containing Safe Links that appear legitimate but redirect users through multiple encoded layers before reaching phishing pages. These layered URLs are designed to bypass security filters and make analysis more difficult, as each redirection step obscures the final destination. The campaign relies on trusted security infrastructure to increase credibility, with victims more likely to click links that appear to be scanned and approved. Researchers noted that the use of Safe Links in this way complicates traditional detection methods that rely on static URL analysis.
Who is affected
Email users and organizations relying on Microsoft Safe Links protection are affected, particularly those who may trust links that appear to be validated by built-in security tools.
Why CISOs should care
The technique shows how attackers can exploit trusted security mechanisms to bypass detection and increase phishing success rates by embedding malicious content within layered redirection chains.
3 practical actions
- Inspect multi-layered URL redirections. Analyze full redirect chains instead of relying on initial link appearance.
- Enhance phishing detection controls. Implement tools capable of dynamic URL analysis across multiple layers.
- Educate users on trusted-link abuse. Reinforce that security-labeled links can still lead to malicious destinations.
For more coverage of email-based threats and social engineering campaigns, explore our reporting on Phishing.