Attackers are using customizable URLs, known as vanity URLs, on SaaS services to craft more convincing phishing links.
The technique has been used for links created through Box, Zoom, and Google Docs and Forms – all familiar services many people know and likely use. Vanity URLs provide custom and easy-to-remember links, and some applications do not validate the legitimacy of the URL’s subdomain and instead only the URI. Therefore, threat actors are able to use their own accounts to generate links to malicious content that appear to be hosted legitimately by your company’s account. In addition to phishing campaigns, the spoofed URLs can also be used for social engineering attacks, reputation attacks, and malware distribution.
Users should be wary of clicking on third-party links, even if the URL has the name of their organization in it. There are various red flags of rogue URLs to be aware of including look-a-alike domains, URL domain name encoding, shortened URLs, domain mismatches, strange originating domains, overly long URLs, file attachments that are images or links, and open redirectors.
To learn more details about each red flag, as well as about security awareness training, visit here for more information.