Menlo Security recognized as leading enterprise browser company in GigaOm’s ZTNA report.
Icon Rounded Closed - BRIX Templates

URL shortening allows threats to evade URL filtering and categorization tools


Threat actors have found a new phishing technique to trick people into visiting dangerous websites using URL shortening services to hide malicious web addresses and avoid detection. This makes it harder for security systems to block them and fool users into clicking on harmful links. URL shortening is a technique increasingly used among threat actors, according to data provided by Menlo Labs.

Read on to learn about URL shortening, a type of Legacy URL Reputation Evasion (LURE) attack, and how organizations can detect and stop these attacks from compromising their networks.

Phishing remains a top concern among cybersecurity professionals

Phishing is consistently one of the top attack vectors in cybercrime, resulting in an average of $4.91 million in breach and recovery costs. Over the past six months, the Menlo Security Threat Research team has observed a 198% increase in browser-based phishing attacks – 30% of which have been classified as evasive.

The rise and success of phishing attacks have correlated with new Phishing-as-a-Service (PhaaS) and Ransomware-as-a-Service (RaaS) kits that have hit the market recently. Pre-made email, text, social and advertising templates, scripts and other best practices included in the kits radically lower the bar for novice attacks with limited or no coding expertise to create and launch malicious campaigns. 

These attacks use a variety of evasive techniques to bypass normal URL filtering and categorization systems. They aim to steal user credentials and gain control over important business systems, as well as steal valuable data.

URL shortening services allow attackers to hide in plain sight

Popular URL shortening services provide cover for attackers to trick users into unknowingly clicking on a malicious link. Market analytics have long provided evidence that shorter, easy to read or remember URLs have a higher click rate than long URLs, and the practice is a common tactic that has gained acceptance among brands and customers.

The problem is that URL shortening masks the link’s true destination, and users have no idea whether the link will direct them to the appropriate page or website. Coupled with the increasingly more sophisticated phishing emails that are able to accurately mimic brand logos, tone and style, these attacks make it virtually impossible for users to identify a malicious link until it is too late.

Traditional detection tools fall short

Unfortunately, traditional security solutions such as URL filtering and categorization are no better than users at detecting LURE attacks that use URL shortening services. These tools work by scoring the reputation of the listed URL– not the final redirected destination. On the flip side, simply blocking all shortened URLs would result in a slew of help desk tickets – particularly since these services have become a legitimate business and marketing tool.

Some security tools have adapted to address the challenges of URL shortening, but threat actors are constantly evolving their techniques and often couple multiple techniques in order to bypass traditional security tools and breach endpoints. 

Here are some ways that threat actors use URL shortening tactics to circumvent these filters:


Malicious actors use URL shorteners to obfuscate the true destination of a link. This deceives users into clicking on links that lead to phishing sites, malware downloads or other harmful content. Often, malicious actors will use multiple redirects, sometimes with multiple URL shortening services, to further obfuscate the final destination. Many of these sites host CAPTCHA challenges that make it easier to evade automated scans.

Bypassing blacklists

Some content filters and security systems maintain blacklists of known malicious URLs. By using a URL shortener, an attacker can create links that aren't directly on these blacklists, making it more difficult for automated systems to detect and block them.

Dynamic content

Some URL shortening services allow users to change the destination URL after the link has been created. Attackers can initially provide a harmless URL, let it pass through filters and then later update the link to point to malicious content.

The solution requires full visibility into the browser

It’s clear that organizations need a new way to detect Highly Evasive and Adaptive Threats (HEAT) that use URL shortening to get around traditional security tools. These tools need to go beyond URL reputation and use full visibility into the browser to look directly at the web elements on the final destination.

They should be able to see where these links redirect the user and apply real-time risk assessment based on these elements. Based on this risk assessment score, the appropriate policy could then be applied – allowing access, blocking access or providing safe access through isolation or read only.

Learn more about how Menlo Security detects and stops LURE attacks that use URL shortening techniques to evade traditional security tools.

Browser Security: any device, any browser, anywhere. See offerings

Menlo Security

menlo security logo
linkedin logotwitter/x logofacebook logoSocial share icon via eMail