John
What once started as misuse of email security tools now looks nothing like before. From April through September 2025, analysts at LevelBlue SpiderLabs noticed sharp changes: attackers began crafting complex sequences of URL redirects, linking several well-known company redirection services back-to-back.
Hidden beneath these chains lies harmful web content, masked so deeply by trustworthy domains that standard defenses struggle to detect anything wrong.
A twist in tactics sees major PhaaS outfits like Tycoon2FA and Sneaky2FA turning a once hit-or-miss move into something far more structured. Because of these shifts, knowing its mechanics matters deeply today – for anyone protecting systems tied to Microsoft 365 or corporate email setups.
Understanding URL Rewriting?
Every time someone sends an email with a web address, protection tools step in before delivery. Instead of showing the actual link, they replace it with one generated by their system. This new pointer doesn’t go straight to the destination.
It detours through company scanners first. Clicking happens later – only then does anything load. The actual site appears after checks finish. Safety layers sit between the person and the page on each visit.
A split-second check means the platform examines links when someone clicks them, not just when the message arrives.
That way, it catches sneaky threats that activate later, escaping early scans. If a site looks risky, the entry gets cut off instantly. At the same time, IT teams see how users interact with those links. Real-time scrutiny shapes smarter defenses without slowing things down.
A fake message might hide a web address leading to a hacker’s site. Rewritten, it shows up under a known company name instead – take security-vendor.com/safelinks?url=hxxps[://]malicious-domain[.]com.
From the viewer’s seat, it looks like it comes from a reliable source. The outside shell feels safe, even when what lies beneath isn’t.
Security Used as a Weapon
Funny thing about abusing URL rewriting – it turns a safety tool into something risky. Instead of shielding people, it helps attackers hide. These bad actors get inside email accounts where such services are turned on. Once there, they twist links to mislead.
The very system meant to guard now does the opposite. A single poisoned web address kicks things off, quietly dangerous despite its simplicity. From an already breached mailbox, the hacker fires the harmful link toward another account they control – maybe even looping it back to their own inbox.
Once the company’s mail filter steps in, it reshapes the address under a legitimate shield to make it appear approved. When nothing blocks that altered trail, the crook lifts the cleaned version, now disguised as trustworthy. That masked path then spreads widely, slipping into mass scam messages aimed at those who won’t see it coming.
Some well-known email security firms, including Cisco and Trend Micro, are linked to the abuse of URL rewriting tools, researchers at LevelBlue SpiderLabs found.
These services, run by companies including Barracuda, EdgePilot, and Sophos, give deceptive redirects a trustworthy appearance. Even Libraesva – also known as ESValabs – and Inky have had their domains used in such schemes, despite strong reputations across the sector.
The Rise of Complex Redirect Paths Across Multiple Vendors
By 2024, tampering with URLs via a single layer of redirection had already become a problem. Yet what emerged in 2025 showed attackers refining their methods in ways never seen before. Instead of stopping at a single redirect, they started embedding altered links within further layers of rewrapping tools.
These layered paths wound through several trusted security platforms, slipping past defenses step by step. Only after looping across these approved domains did the chain land on malicious endpoints controlled by hackers.
A single test link tracked by SpiderLabs showed how attacks can slip past filters using six back-to-back redirections. These hops came from four different security tools: Cisco, Trend Micro, Barracuda, and EdgePilot.
The path twisted like this: cisco.com jumps to trendmicro.com, then flips back to cisco.com, shifts again to trendmicro.com, slips into cudasvc.com, and finally lands at edgepilot.com. Looking back at the numbers, something stands out.
Using just one link changer was common early on, but mixididn’t didn’t appear until the spring of 2024. From there, things grew slowly through the next year, then suddenly jumped near the end of 2025. Right now, in early 2026, signs point to ongoing efforts without slowdown.
Switching between three or more tools began around summer 2025, built momentum as months passed, then reached its highest levels by January 2026, showing attackers are stacking layers to make tracing tougher.
What makes this spike significant lies in how things run day to day.
With each new vendor step, mapping out where links go gets harder – scanners strain, people struggle. Because those middle domains link back to known security firms, automatic filters trained on patterns fail silently. Trust sneaks in through brand names users recognize, easing doubts without words.
Case Study One Tycoon Two F A Five Vendor Nested Redirect Chain
A shadow slips between user and server, live. Tycoon2FA moves just behind the login screen, copying passwords plus active tokens at once. Instead of guessing what it steals that’s already approved, like catching a key midair after someone unlocks the door themselves.
Because the session runs normally, alerts stay silent; protection thinks everything checks out. Multi-step verification fails him, re, not by force but by mimicry – it sees trust and repeats it. What appears to be normal access hides a duplicate trail leading elsewhere.
A fake message appeared in an inbox, claiming to come from Microsoft. This particular attempt caught the eye of SpiderLabs during a broader scan. Instead of odd phrasing, it leaned on everyday office talk. Think: files waiting, approvals needed, things supposedly shared earlier.
The wording felt normal at first glance, like part of regular work chatter. Behind that surface, though, was a nudge meant to get someone clicking. What looked like routine paperwork was actually bait in the form of a collaboration.
Inside the hidden link, more than a thousand characters stretched out. The top layer pointed to urlsand.esvalabs.com, run by Libraesva.
Hidden among scrambled bits sat protection.sophos.com, linked to Sophos. Another piece held inky.com, tied to Inky. Further layers folded extra domains into Base64, needing manual unpacking to reveal them.
Once someone opened the link, each jump routed through five different services – esvalabs.com to sophos.com, then inky.com, followed by edgepilot.com, ending at cudasvc.com – right before reaching the fake login site.
These hops happen fast, hidden behind automatic web redirects that most people never see. Tracing every step means digging into network logs, specifically hunting down those silent 302 signals that quietly point the way.
Five jumps through linkprotect.cudasvc.com led straight into hxxps[://]nirvaa[.]com/wrks/. That address? A real site taken over, quietly rerouting users. Instead of safety, it served up a fake puzzle – meant to block scanners but let people slip through.
Once solved, another door opened: not Microsoft itself, just a copy built to steal passwords. Every keystroke went straight elsewhere. Microsoft found that Tycoon2FA now uses intermediary services like Azure Blob Storage, Firebase, Wix, TikTok, and Google tools.
These routes pass through layers of redirects. Hidden within are scrambled web addresses. That makes it tough to pull out links by hand. Automated systems struggle too. Full paths stay masked on purpose.
Sneaky2FA HTML Attachment Using Layered Rewriting
A new tool named Sneaky2FA showed up in late 2024, slipping under the radar until analysts spotted it. This system runs through a Telegram channel called “Sneaky Log,” where users pay around $200 each month to access it.
Unlike homemade hacking scripts, it functions as an officially registered PhaaS (hosting-as-a-Service) p platform. Its core trick mirrors Tycoon2FA’s: grabbing active session cookies during login attempts. Instead of random attacks, it zeroes in on Microsoft 365 accounts. Fake sign-in screens load with the target’s email already filled out.
That small detail makes scams feel more real. Because the address appears correct, people are less likely to question the page.
A fresh look at one of SpiderLabs’ recent cases shows how Sneaky2FA set its sights on a legal practice. The attackers used an alert about signing a document, pretending it was tied to changes in a current contract.
This message felt real because it matched details only someone involved would know. Context became the hook – subtle, precise, fitting just right.
A key technical feature of this campaign was its approach to reaching users. Instead of placing a link right inside the email, attackers used an HTML file attached to the message – one that held a REDIRECT_URL value built through several stages of URL manipulation.
The actual redirect on path remains hidden during transit because it activates only when someone opens the file in their local browser, bypassing detection by standard email filters.
One step at a time: the URL Barracuda’s filter, then bound to Sophos’ system out west. From there, it’s Cisco’s web shield without slowing down.
Not stopping yet, it next appeared inside a tool meant for email campaigns – Double by Service Autopilot – even thowasn’tat wasn’t its real job here. Eventually, everything led straight to a fresh website built to look like a legal office, but registered by someone with different plans.
A fake Microsoft 365 login page appeared at the last stop on the site, already pre-filled with the user’s email address. Behind it, the Sneaky2FA system quietly forwarded each sign-in attempt to the actual Microsoft servers. As users entered their details, session tokens were generated in real time.
Traditions aren’t working anymore.
Trusting big names opens doors through which trouble sloughs. Picture this: links jumping between sites like Cisco, Sophos, then Barracuda – each one treated as safe by email filters. These jumps hide what comes next. At every checkpoint, scanners spot familiar brands; nothing raises alarms. Yet behind the scenes, paths twist toward harmful endpoints.
Because safety checks focus on single steps, not the whole journey, they miss how the pieces fit together. What seems clean step-by-step hides risk in sequence. The system trusts too easily, just because known players appear along the way.
That faith gets used against it. Each hop feels legitimate, yet leads somewhere never meant to be seen. Blind spots grow when logic follows fragments instead of pattern..s
Stack Base64 encoding right into the hidden bits, then slip in CAPTCHA toolock bots to keep them from peeking; can’t suddenly, machines can’t keep up. Tack on email delivery through HTML files instead of message text, dodging live inspection tools altogether.
One layer feeds the next, each gap exploited just enough so signatures fail, links stay unclear, code hides in plain sight, and sandboxes never trigger.
Indicators of Compromise (IOCs)
| IOC | Type | Associated Campaign |
|---|---|---|
drogaby[.]com[.]br/cgi-bin/admin/ | Malicious URL | Multi-layer chain |
draineago[.]sa[.]com | Malicious domain | Multi-layer chain |
nirvaa[.]com/wrks/ | Compromised redirector | Tycoon2FA |
dns[.]zyntexa[.]click | Malicious domain | Multi-layer chain |
visuallogin-9889902009882[.]bretlavylaw[.]com | Phishing domain | Sneaky2FA |
Defensive Recommendations
- Start by moving past old-school filters that chase known threats. Instead of waiting for damage, spot odd patterns before harm unfolds. Watch how links behave, not just what they look like. Shift focus from static rules to live observation. Catch tricks hidden in layered redirects through constant monitoring. Update defenses to follow actions, not only code shapes. Stay ahead by learning normal flow, then flagging detours.
- Hardware keys or passkeys stop fake login traps from stealing active sessions. These tools block real-time attacks by removing reliance on saved browser data. Using physical devices breaks the cycle of intercepted logins. Stronger sign-ins prevent attackers from slipping through usual cracks. A shift to key-based access shuts down one common takeover path. Session theft becomes a problem when passwords are not enough. Real protection can’t be achieved when codes alone can’t be copied.
- Some email protection tools can track links that jump several times. When one link leads to another, then maybe two more after that, these systems follow each step. Instead of stopping at the first address, they chase every redirect. This deep tracking helps uncover where users actually land. Without it, dangerous destinations might stay hidden behind innocent-looking fronts. Following all steps means seeing the complete path. Platforms built for this reveal the entire journey, not just part of it. The final decision on safety comes only after checking every stop along the way.
- Watch how users act after they log in. Spot odd behavior such as sudden changes to email rules. Notice when messages get forwarded strangely. See if someone logs in from a place they normally do not go. Catch actions that stand out from the usual pattern.s
- Flag HTML attachments for enhanced scrutiny, particularly those containing embedded redirect variables or obfuscated URLs
- Start by teaching users that even familiar security company websites might hide dangerous links. Not every address from a known name stays safe. A link looks real, but that doesn’t mean it works right. Some fake paths wear trustworthy names like costumes. Training should show how these tricks happen in real situations. People must learn to question what seems normal. Spotting risk means looking beyond the surface. Real harm hides behind doors that appear correct. Watch where clicks go, always. Trust needs checking each time.
- Watch for fresh domain registrations mimicking familiar companies or using names that match how phishing systems often appear
FAQ
One sneaky trick involves piling up several cleaned-up links from different companies, one after another. This path winds through a series of trustworthy security websites before landing on a harmful site. With every added hop, the route gets messier. Spotting where it actually ends becomes much tougher for protective software.
From hacked email accounts equipped with URL rewriting tools, attackers slip a harmful link to their own inbox. This sneaky move forces the safety software to reformat the address on its own. Out comes the altered link – cleaned by the system – and they pull it out quietly. Into fake messages it goes, hiding behind the shield of a name people trust. The disguise works because the link looks like it belongs. Safety systems see it and stand down. That moment of false calm is what they count on.
Site: thecybrdef.com
Source: Level blue
