Egress’ Threat Intelligence Team has identified that over 7% of global phishing attacks now use an emerging obfuscation technique that employs Accelerated Mobile Page (AMP) links to mask malicious URLs.
Often embedded in phishing emails that impersonate well-known brands, threat actors aim to undermine the 'hover' technique taught in most security awareness training programs. By displaying a legitimate AMP link from trusted organizations like TikTok, Google, or Instagram, they reduce recipients' suspicion about the true destination of the link.
Quick attack summary
- Vector and type: Email phishing
- Technique: Hyperlink obfuscation and brand impersonation
- Targets: Global
- Platform: Microsoft 365
In this attack, recipients are sent phishing emails that impersonate well-known brands such as Microsoft and DocuSign. These emails contain AMP (Accelerated Mobile Pages) links to disguise the end destination of their malicious URLs, leveraging reputable brands like TikTok, Instagram, and Google to lower suspicion.
When recipients hover over these links, they see what appears to be a legitimate URL from a trusted organization, but upon clicking, they are redirected to a malicious site.
This tactic is also employed to bypass URL scanners, as the added layer of redirection complicates detection. Scanners often check the reputation of the visible domain (e.g., TikTok or Google), which appears benign, allowing the malicious link to go unflagged by traditional technology in some cases.
AMP links were first exploited in this way in mid-2023 but this declined shortly after. However, since May of 2024, our Threat Researchers have observed a steady month-on-month increase in their use as can be seen in the graph below.
Legitimate domains used within the AMP links
- Google.com
- Google.com.br
- Google.com.hk
- Google.fr
- Google.nl
- Google.co.in
- Google.at
- Google.be
- Google.de
- Google.ps
- Google.com.au
- aws.predictiveresponse.net
- tiktok.com
- instagram.com
- linkedin.com
- commercebank.com
- facebook.com
- Pintrest.com
Top brands impersonated in AMP-based attacks
- Microsoft
- Sharepoint
- Coinbase (Crypto exchange)
- DocuSign
- Adobe Acrobat
- VOIP services (8x8, RingCentral)
- Dunkin Donuts
Attack example
Screenshot showing a phishing email impersonating DocuSign, with a visible TikTok AMP link. Egress anti-phishing banners have been applied.
In the example of the TikTok AMP link above, the number of redirects is revealed only upon closer inspection. When the recipient hovers over the 'Review Document' button of this DocuSign impersonation, it shows that the TikTok-hosted link first directs to Google before ultimately leading to a malicious site.
This link is part of a phishing email that employs social engineering techniques, prompting the recipient to review changes to a contract document.
Egress analysis
AMP obfuscation targeting tech and human behavior
Originally developed by Google, AMP links were created to enhance mobile browsing speed and user experience, particularly for content-heavy pages. They typically follow an AMP path hosted by platforms like Google or TikTok, with only the final segment of the link pointing to the actual destination.
This obfuscation method is multifaceted, aiming to bypass traditional URL scanners while also manipulating human behavior.
Targeting the tech
The complexity of this attack makes it challenging for URL scanners to detect. Most traditional scanners rely on reputation checks to assess a link’s safety, but when AMP links are used, these checks often return the reputation of the visible domain (e.g. TikTok or Google), which appears benign. This can allow phishing links to slip past security filters undetected. By adding multiple layers of redirects, attackers attempt to ensure that the true destination remains concealed until the user has already clicked.
Targeting the human
This obfuscation technique is particularly effective because it exploits human behavior rather than relying solely on technical deception.
A key skill often taught on day one of security awareness training is to hover over a link in an email to check the underlying destination and ensure it meets expectations. But what happens when everything looks legitimate?
Threat actors are well aware of the 'hover' method, which is why they incorporate reputable brands like TikTok, Instagram, and Google into their AMP links. The idea is that once recipients see a familiar name, they’ll stop scrutinizing the link and proceed to click. Additionally, because AMP is designed for fast webpage loading, the redirection happens swiftly, making it difficult for users to notice they’re being phished.
Identifying advanced phishing threats
Since this attack combines brand impersonation with hyperlink obfuscation, it is crucial for organizations to utilize intelligent technology capable of effectively detecting and mitigating advanced phishing techniques.
While this attack exploits traditional technology, threat actors primarily rely on manipulating human behavior. Therefore, alongside appropriate training, organizations should implement technology that enhances employee awareness, enabling them to recognize and respond to potential threats effectively. This should include real-time teachable moments that provide employees with in-the-moment training at the point of risk.
Egress Defend takes a holistic approach to detection, using AI and a zero-trust approach to detect and neutralize emerging threats like impersonation and zero-day attacks in addition to logic that specifically looks for AMP links and redirects.