Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Phishing in URLs and collaboration tools: what IAM teams need to know


(@lalit)
Member Admin
Joined: 1 year ago
Posts: 257
Topic starter  

TL;DR: Malicious emails now use URLs four times more often than attachments, while attackers increasingly hide payloads behind authentication pages, scanner-detection logic, and trusted collaboration workflows, according to Proofpoint’s Human Factor Report Vol. 2. The control gap is no longer message filtering alone, but continuous inspection across the full user journey.

NHIMG editorial — based on content published by Proofpoint: phishing URL evasion, sandbox mirages, and collaboration abuse

Questions worth separating out

Q: What breaks when authentication is not phishing-resistant?

A: The trust boundary between the user and the system becomes easy to impersonate.

Q: Why do trusted collaboration channels increase phishing risk?

A: Trusted collaboration channels increase risk because users apply relationship context before they apply security skepticism.

Q: How do security teams know if sandbox-based URL analysis is failing?

A: Look for URLs that appear clean in detonation but behave differently for real users, especially when the site serves benign content to automated scanners and malicious content after redirect or script execution.

Practitioner guidance

  • Expand inspection beyond initial delivery Add time-of-click analysis and post-delivery URL re-evaluation so a safe first page does not automatically clear a later malicious destination.
  • Instrument collaboration platforms for hidden delivery paths Review Google Workspace, file-sharing, and messaging workflows for links or attachments that synchronise without traversing email gateways, and monitor for external invitations or drafts that propagate content unexpectedly.
  • Harden authentication prompts in externally delivered links Treat CAPTCHA, login, and identity-verification pages embedded in inbound messages as risk signals and route them for higher scrutiny before users submit credentials.

What's in the full article

Proofpoint's full analysis covers the operational detail this post intentionally leaves for the source:

  • Step-by-step examples of how the link verification exploit evades sandbox checks in real email workflows
  • The browser and header signals attackers use to distinguish sandboxes from real users
  • The Google Workspace calendar abuse pattern that bypasses email controls altogether
  • Operational recommendations for continuous analysis, browser-based protection, and user awareness

👉 Read Proofpoint's analysis of phishing URL evasion and collaboration abuse →

Phishing in URLs and collaboration tools: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Authentication gating has become a phishing concealment layer, not just a user check. The article shows that a page can look clean to inspection systems until the human enters credentials or clears the verification step. That changes the governance question from whether a URL is malicious to whether the control can still see the malicious state after identity proof. Practitioners should treat authentication barriers as part of the attack surface, not as a neutral access control.

A question worth separating out:

Q: Who is accountable when phishing bypasses email security through a trusted app?

A: Accountability usually spans email security, collaboration platform owners, and identity governance teams because the failure is a trust-boundary issue, not a single-product miss. If the application can synchronise risky content without parallel inspection, the organisation owns the gap. That makes governance, monitoring, and user reporting responsibilities shared across the platform stack.

👉 Read our full editorial: Email gateway evasion is shifting phishing into trusted workflows



   
ReplyQuote
Share: