Hackers Abuse Legitimate Email Marketing Platforms to Disguise Malicious Links

Cybersecurity

Cybercriminals are increasingly exploiting legitimate email marketing platforms to conduct sophisticated phishing campaigns. This method leverages the trusted reputation of these services to bypass security filters and deceive recipients.

This emerging threat involves the misuse of click-tracking domains and URL redirection services offered by established email marketing companies to disguise malicious activities. Platforms such as Klaviyo’s ‘klclick3.com’ and Drip Global’s ‘dripemail2.com’, which are legitimate click-tracking services, are exploited to monitor user interactions with marketing emails.

By routing malicious URLs through these trusted domains, attackers create a semblance of legitimacy that helps phishing emails evade detection by traditional security systems. This technique exploits the inherent trust users place in recognized marketing platforms.

Recent analysis reveals that these campaigns often employ sophisticated lures, including fake voicemail notifications, DocuSign document requests, and payment-related messages. Attackers demonstrate adaptability by combining traditional phishing techniques with modern evasion methods, such as CAPTCHA verification, compromised domains, and the abuse of cloud services like Amazon Web Services and Cloudflare.

Trustwave researchers identified a significant increase in phishing URLs containing familiar patterns and similar phishing templates. They noted the resurgence in the abuse of email marketing platforms alongside widespread use of URL redirectors. The PageML system, which combines machine learning components with URL intelligence frameworks, has been instrumental in detecting these evolving threats in real-time.

Advanced Redirection and Evasion Techniques

The technical sophistication of these campaigns is evident in their multi-layered redirection mechanisms. In one documented case, attackers used a Base64-encoded redirection scheme where the initial phishing URL contained encoded strings that, when decoded, revealed the actual malicious destination.

ucis.RedirectUrl = "aHR0cHM6Ly9vZmZpY21hc2RpbmRvbW1qZW9haWV1bnQuZXN6a3FlaHJoeXpkdXF2d3JiZ3h1dWd4YXF1bXJtLmlwLWRkbnMuY29tL2YvNFNTd08yUU5LQ3B5MWdDeEtzX0w=";
ucis.RedirectUrl = atob(ucis.RedirectUrl); // decode to real URL

Additionally, attackers implement anti-analysis measures by disabling right-click functionality through JavaScript event listeners:

addEventListener("contextmenu", function(e) {
    e.preventDefault();
});

The campaigns also employ chameleon phishing techniques, dynamically fetching company information and logos using services like Clearbit to create personalized phishing pages that appear legitimate to specific victims. These pages often integrate Cloudflare Turnstile for human verification, adding another layer of evasion while appearing to provide security measures.

The abuse of legitimate infrastructure creates significant challenges for cybersecurity teams, as traditional blacklisting approaches become ineffective when malicious content is hosted on trusted domains. This trend underscores the need for advanced behavioral analysis and machine learning-based detection systems capable of identifying malicious intent regardless of the hosting infrastructure’s reputation.