Cofense Logo - Email Security Solutions

URL Shorteners are the Fraudster’s Friend

Share Now


URL shorteners are a great tool to share a web address without a lot of typing. PhishMe Intelligence™ recently observed malicious actors using these services to evade security controls. They use these services to conceal the actual URL and bypass controls put in place to block known malicious domains.

Just this week, employees of enterprises using PhishMe® reported phishing messages that contain links that use these URL shortening services:


While some end users have been trained to hover their mouse over the link in a suspicious message to see the true destination of the link, this strategy does not work when the scammer uses a URL shortener link. As seen in figure 1 below, you can see that hovering over the “MY ARCHIVE” link revealed only a URL hosted on a URL shortening service.

Cofense Illustration of Phishing Email Detection

Figure 1 – Phishing message delivering a shortened URL to a DocuSign phishing page

After clicking the link, the user is redirected to a page, as seen in figure 2, that spoofs DocuSign with the goal of collecting the end users email password.  In this case they are targeting any email providers with a focus on AOL, Yahoo!, Gmail, Outlook and Office 365.

Cofense Illustration of Phishing Email Prevention

Interestingly, a subsequent step of the attack collects the victims’ recovery email account and phone number, as seen in Figure 3 below. These additional pieces of information can be very valuable for a bad actor. Even after the user provides all this information, the user does not receive the PDF file download.

Cofense Example of Phishing Email

Figure 3 – Step 2 of phishing attack, seen at hxxp://avantysimmo[.]com/tht/dokin/recova.php

PhishMe Intelligence is a service that is designed to inform our customers about phishing threats. PhishMe distributes intelligence about those threats via the PhishMe Intelligence API as machine readable threat intelligence (MRTI). The MRTI includes the shortened URL parsed from the suspicious message and the associated landing page URL. PhishMe Intelligence also identifies the “Action URL”, which represents the path to the script that handles the delivery of credentials stolen in the attack. Often these Action URLs are on a third host and must also be recognized as indicators of compromise in an enterprise environment.

When our investigators drill into the details of URL shorteners, they also see that quite often the phisher will use more than one redirection from the initial link. For example, the initial link may be on, but that link may point to a URL on which then points to another link that finally points to a phishing landing page hosted on a compromised domain, a fraudulent domain, or a customized subdomain arranged on a free-hosting site. Each of these steps of the attack are captured by PhishMe in the Web Components list in the PhishMe Intelligence portal for investigators. All of the components are also available for download from the portal.

Don’t ever miss another threat – sign up for PhishMe® Threat Alerts today and receive updates on new and emerging phishing and malware threats, completely free.


We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.

This site is registered on as a development site.