WingNews logo WingNews
top | item 45295898

Want to piss off your IT department? Are the links not malicious looking enough?

1127 points| jordigh | 5 months ago |phishyurl.com

320 comments

order

arghwhat|5 months ago

Ah no need, corporate IT already make all URLs malicious looking through some microsoft "secure link" service, and constantly shows everyone shady looking prompts that constantly change and have cmd.exe windows flash in at random.

A phone call from Microsoft about my Norton anti-virus subscription putting me into debt that can only be settled with Nintendo gift cards bought in cash across 16 specific gas stations seem much more legitimate in comparison.

cameronh90|5 months ago

It’s a trade-off.

Most people are never going to check the links no matter how much you ask them to, and even if they did they wouldn’t know what to check for. But the tool Microsoft give you to check a link before opening it is that awful URL rewriter, which prevents the small minority who would check from being able to.

Similarly those flashing cmd windows are usually automatic update processes that Windows has no way to hide. Even some drivers that MS distribute through Windows Update do it. We could turn automatic updates off, but then nobody would update their software.

IT is rough because you’re often stuck between a rock and a hard place. On the one side you have users who don’t want to change their behaviour, on the other side you have industry leading vendors, that the SLT insist on using, that make it impossible to do the right thing or put the right thing on an Enterprise plan that the budget won’t permit. Then to top it off, there are usually compliance and insurance breathing down your neck forcing you to implement questionable best practices from the 90s, so you just have to do your best to limit the damage.

cedilla|5 months ago

All that anti-phishing training that taught us to look closely at the URL and now it's all just safelinks.protection.outlook.com

btbuildem|5 months ago

My little hobby is reporting any and all emails about compliance, training, etc (basically anything with actions in them) as phishing and then escalating their responses as "social engineering". It's fun!

omh|5 months ago

And Microsoft own the client, so they are the one company who don't need to do this!

If you really want to check every time someone clicks on a link then you can do this in the client and keep the visible link the same for the end user.

But instead there are different teams working on this in Outlook, Teams, Exchange, Defender and god knows where else.

(I'm one of the people in corporate IT trying to turn this off and often struggling)

beanjuiceII|5 months ago

we must work at the same enterprise

SMAAART|5 months ago

Not bad!

https://carnalflicks.online/var/lib/systemd/coredump/logging...

jcims|5 months ago

Why is that so satisfying to click on while it's at the top of the page?

turkishdelight|5 months ago

Seems shady, NoScript is giving me an XSS warning <_<.

supriyo-biswas|5 months ago

All of this reminds me of a hilarious situation at a previous employer. As is standard corporate practice, they used to tell people to inspect links by hovering over them to confirm that they lead to the official website of the sender.

People kept falling for phishing links though, so they got a Trend Micro device to scan emails, which also rewrote every link in it to point to their URL scanning service, which means every link now looks like https://ca-1234.check.trendmicro.com/?url=...; I guess no one would be allowed to click on any link in an email at that company.

Of course, their URL rewrites also broke a good number of links, so you'd wake up to a production incident, and then have to get your laptop, log in manually to Pagerduty/Sentry or what have you, and look up the incident details from the email...

thinkingtoilet|5 months ago

I had the opposite funny experience. When I worked for Global MegaCorp, they would occasionally send out phishing emails and if you clicked on a link it would be recorded and you would have to do trainings if you got fooled a couple times. Eventually everyone learned to stop clicking on links on emails. That's good. However, they sent out a yearly survey to get feedback from all the employees and no one clicked the link so they had to send out follow up emails saying the original emails are legit and it's ok to click the links in them.

kimixa|5 months ago

The company I used to work for had the same thing - everything was a rewritten URL (this was a Microsoft shop so it was rewritten to something like "safe.protected.outlook.com/?random_spew". From what I remember, yo)u couldn't even see the original URL in that (or it might have just been long enough random arguments to be completely impossible to find).

Nothing raises my suspicions quite like something calling itself "safe".

OscarCunningham|5 months ago

I had the opposite problem at my last company. When you hover over a link Apple's Mail app opens a preview of the page. So if you try to see the URL then you automatically visit the link and get sent for more training.

JustExAWS|5 months ago

I got this email from AWS regarding my personal account.

Greetings from AWS,

There are upcoming changes in how you will be receiving your AWS Invoices starting 9/18/2025. As of 9/18/2025, you will receive all AWS invoices from “no-reply@tax-and-invoicing.us-east-1.amazonaws.com”. If you have automated rules configured to process invoice emails, please update the email address to “no-reply@tax-and-invoicing.us-east-1.amazonaws.com”.

This was brain dead. If I saw an email with that sender, I would think it was a scam. They had to walk it back.

For context, I get random other emails about things like Lambda runtime deprecation from “no-reply-aws@amazon.com” which looks a lot more official.

And “aws-marketing-email-replies@amazon.com”

abtinf|5 months ago

Or just report their mandatory compliance emails as phishing attempts.

I’ve worked for multiple large companies where the annual IT security signoffs look exactly like malicious emails: weird formatting; originates from weird external url that includes suspicious words; urgent call to action; and threats of discipline for non-compliance.

All this money being spent on training, only to immediately lull users into accept threats.

grimgrin|5 months ago

you may or may not add a condition for emails with X-PHISH in its headers

leptons|5 months ago

The phishing-emails-as-a-test emails were so frequent that I started flagging all emails from our company that had a link in them as phishing emails and let the IT staff tell me which ones were real. They didn't enjoy that so they stopped sending the phishing emails as often. They still send them though, from time to time.

I ended up creating my own browser extension for gmail that blocks clicking on any link unless the domain is whitelisted. Now if I click any link and it's not in the whitelist, it shows a popup that displays the domain name, and I can then choose to whitelist it and then it opens the link, or just keep blocking it. I haven't had to re-take any phishing compliance tests in a long time.

0x3444ac53|5 months ago

The company I work at hired a vendor for their call center software, and said vendor spammed out all kinds of emails to everyone in the org on a daily basis. It was annoying and entirely useless. I just kept reporting them as phishing attempts and encouraged my coworkers to do the same. It worked.

bArray|5 months ago

No need, my IT already do this by running the MimeCast email filter [1]. Links to non-whitelist sites are expressed in the format:

    https://url.uk.m.mimecastprotect.com/s/<random_string>?domain=<domain_name>
Maybe I can tell the link is from Google, but not what is likely to be in the URL. It's a complete surprise as to whether I will be looking at a web page or downloading something.

[1] https://www.mimecast.com/

andrewblossom|5 months ago

My favorite part of mimecast is that their servers apparently can't handle normal volume and regularly time out before redirecting to the destination URL.

hobs|5 months ago

Now you just need a browser plugin to extract the domain name and fix it, problem solved.

Terr_|5 months ago

Real evil would be a kind of reverse-psychology:

1. Make a site like this.

2. Wait for people to try it out with an URL that goes to a significant site (bank, social media, email, etc.)

3. Allow a bit of normal use, then secretly switch the link so that further visitors land on a corresponding phishing site.

4. Having just dismissed a bunch of "obviously fake" warning signs, people may be less alert when real ones arrive.

cyanydeez|5 months ago

Im sure in tge nect 5 years a blackhat model will exist that clone any website into a phishing site.

mogoman|5 months ago

Around 2001 I worked for one of the big dot com news outlets. In our reception we had a PC with a browser set up where people could "use the internet" while they waited. One day the receptionist asked me to fix the PC as it wasn't connected to the internet and no one from IT was available. So I messed around a bit (think in the end I just reset the DCHP lease) and to test I opened the browser to surf the net.

Of course with the millions of websites available I couldn't think of one specific one, so I just held down the "x" key and then pressed CTRL+ENTER (which automatically added "www" and ".com" to your entry - typing this on a mac I see it still works with Firefox).

Of course www.x(and a few more x).com was a porn site.

Of course there were a bunch of people (including customers) sitting in reception (and the receptionist herself) who could directly see the screen.

Of course the PC was running nothing else, so a quick alt+tab didn't hide anything.

I announced that all was fine and ran for my desk.

cobbaut|5 months ago

I remember typing whitehouse.com (hoping that was safe) in the early days of Internet... nope, it was not the same as whitehouse.gov!

hdbsbdbd|5 months ago

Thank you for that anecdote, it lightened my breakfast Pause :)

LtdJorge|5 months ago

Lol, in that situation, the best combination would have been Win+D, I guess.

varenc|5 months ago

I registered the "very-secure-no-viruses.email" domain to use for burner emails. I was trying to make one that sounded maximally sketchy. It has lead to some confusing interactions with support though...

isoprophlex|5 months ago

I have firstname@lastname.email... people keep telling me that can't be right and don't i mean it ends with email.com?

BubbleRings|5 months ago

I put in my own domain name, and got a link on the https://cheap-bitcoin.online domain. Then I sent the full url it gave me to VirusTotal, and one site reported it as malware!

Hilarious, this is great.

cyanydeez|5 months ago

There might be mpre falllout

Lio|5 months ago

Ha! Great minds think alike.

We have something that makes genuine links look malicious at work too.

I think it’s called Microsoft Safelink or something. Its purpose is to go through your Outlook inbox and obscure the origin of every link because, obviously, being able to understand what you’re clicking on is bad.

Remember kids, no one ever gets fired for buying Microsoft. ;)

hennell|5 months ago

Safe links also likes to visit sites to check what the link is, so way too many sites will not let you reset your password because you've already used the link now.

Not sure if that's really a safe links problem, but it's super annoying.

disiplus|5 months ago

hahaha yes, a couple of months ago some microsoft servers where down or really slow so no links from emails worked.

edm0nd|5 months ago

this hits so hard hahaha

also ProofPoint filtered links

virtualcharles|5 months ago

A whole new generation of rickrolling is about to begin.

https://cam-xxx.live/trojan-hunter/evil-snatcher/malware_cry...

yrds96|5 months ago

Rickrolling doesn't feel the same with this bunch of ads. Sadly

jader201|5 months ago

This feels like the opposite of rickrolling, though.

Instead of naively trusting the link, only to click it and get rickrolled, you’re naively distrusting the link, so you’ll never know the link was fine all along.

OptionOfT|5 months ago

Reminds me of working at a company blocking access to eBay because their URL had .dll in there.

Also, we were thought to inspect the URL before clicking on it.

Except that the spam system they use completely mangles the URL...

Terr_|5 months ago

> Except that the spam system they use completely mangles the URL...

I hate this trend. Like an overused pool of the same "Secret Questions" every company asks, it needs to be on some "X considered harmful" list.

Arch-TK|5 months ago

safelinks keeps getting mentioned.

Here:

    #!/usr/bin/env python3
    from urllib.parse import urlparse, parse_qs
    from sys import argv
    print(parse_qs(urlparse(argv[1]).query)['url'][0])
This is unsafelinks. Pass it a safelinks url, and it will print the original URL. Very important when you have a one-time-use link which safelinks can break.

cobbal|5 months ago

Nice. Suggestion: default to https instead of http. Wouldn't want the links to lead somewhere malicious by accident.

flir|5 months ago

With a self-signed, expired, TLS 1.0 cert?

(For a different domain).

non_aligned|5 months ago

I know it's a joke and I had a sensible chuckle, but if you want to routinely use it at work, just keep in mind that it's probably gonna make things worse.

Since you can't exhaustively enumerate every good thing or every bad thing on the internet, a lot of security detection mechanisms are based on heuristics. These heuristics produce a fair number of false positives as it is. If you bring the rate up, it just increases the likelihood that your security folks will miss bad things down the line.

Aeolun|5 months ago

I think the lesson here is that any link in an email is bad. We should just block all of them.

red369|5 months ago

I think you raise a good point, and I want to agree, but my knee-jerk feeling is that it's such a mess right now that it's just like a kid peeing in the ocean. Your point has convinced me to work on that.

In the meantime, does anyone else get a kick out of receiving emails from quarantine@messaging.microsoft.com where they quarantine their own emails?

Edit: I see other people said things that are similar to a more mature version of my feeling. We need to address this in a way that addresses the threat of email links properly, not throw machine learning at guessing which are OK to click. BTW, I'm not implying that you're saying that is what should be done to solve the issue, but I'm sure it's behind the silly MS quarantine I mentioned, and when an email from the one person I email the most, who is also in my contacts, going to spam in iCloud.

Terr_|5 months ago

It may be possible to make a more-limited system without redirects, by abusing stuff like user:pass@host URL schemes, or #anchor suffixes... although it would be less reliable, some hosts/URLs would have problems.

cobbaut|5 months ago

Nice! Can the generated link please include 'safelinks.protection.outlook' somewhere?

nesk_|5 months ago

Unfortunately it's not possible to add custom query parameters

yoz-y|5 months ago

Great. Since shadyurl seems to have died

tetrisgm|5 months ago

I used to use it to redirect our links at work, back when the web was less paranoid. It was such silly fun. Surprised its dead

Skullfurious|5 months ago

After half a decade on discord... What are the odds of me being banned for sending a ragebait google redirect to my buddies?

ashtakeaway|5 months ago

If you come up with an idea to piss others off, you'll succeed 90% of the time.

The other 10% are people who are just like you and know better.

xyst|5 months ago

I had a coworker that would "prank" others by sending out of band messages from other colleagues when they leave their laptop open.

I think that guy would get a kick out of using this for his pranks.

> https://pc-helper.xyz/usr/libexec/gnome-session/binary/etc/p...

Although I suspect some IT drone would be less enthusiastic when reviewing the chat logs when it’s picked up on heuristics

b800h|5 months ago

Very funny, but this could be used for both intentional and unintentional Black-hat SEO. My theory goes:

    1. Create dodgy looking URL
    2. AI in Gmail spots link, blocks it.
    3. Blocked link is spidered for more information automatically
    4. Link resolves to website
    5. Website black-listed
So I'm not going to use it!

xorvoid|5 months ago

Chaotic Neutral

basscomm|5 months ago

That site is trying to tell me that http://localhost is not a valid URL

gblargg|5 months ago

This site needs a way to type in one of those URLs and see the target link.

eru|5 months ago

Most browsers have this functionality built in already.

johnecheck|5 months ago

Imagine if they later update these links to actually phish people. That'd be pretty funny.

Johnny555|5 months ago

That's what I was thinking -- eventually he'll stop paying for those domains and they'll go up for sale, and a domain taster may find that they are still active enough to use for real phishing.

sawirricardo|5 months ago

Interesting, just yesterday i also made url shortener too, focusing on privacy first https://sawirly.com

waterproof|5 months ago

If you want to be privacy focused, include a way to reverse a shortened URL without visiting it

edm0nd|5 months ago

Thanks, I needed something new to cloak my pornhub urls with

QQQQQQQQQQQQQM|5 months ago

I got an email the other day saying I had a new voicemail. The content of the email was regarding a new voicemail I received, and I should click the attachment to listen to it. The header and info was from some service that I had never heard of and we definitely don't use. Also, the entire message was a screenshot of an actual email, so there was no text, just one image. The attachment was a .html file.

I reported it for phishing and I kid you not, less than 30 seconds later I got a response "Email is not suspicious"

What do you MEAN email is not suspicious? This is the most suspicious email I have ever received!

p0w3n3d|5 months ago

In a big enough corpo this is how to get fired quick and hard

OrvalWintermute|5 months ago

The person that created this has a wonderful sense of humor!

lancewiggs|5 months ago

Fun but scammy.

If you copy the generated url and put it into the entry field (and repeat) then you end up at a bitcoin site. As Bubblerings has pointed out that has malware.

jacobgkau|5 months ago

> If you copy the generated url and put it into the entry field (and repeat) then you end up at a bitcoin site.

Uh, what? I just tried it a few times, and it seems to just follow the redirect each time, always ending up back at the original target URL I entered. How many times did you have to "repeat" to make that happen?

> As Bubblerings has pointed out that has malware.

No, that's not what BubbleRings said. BubbleRings said one site on VirusTotal reported it was malware. That sounds like a false positive because the URL is fishy, which is the entire point of the joke here.

itake|5 months ago

Doesnt work. IT blocked fresh domain names

Manouchehri|5 months ago

I used to own spyware.tk until I forgot to renew it and the registrar disappeared. Sad I had to let that one go.

PLMUV9A4UP27D|5 months ago

Oh, this can be used as a fun twist in our company's internal security education. A rickrolling link!

nedt|5 months ago

Yeah none of them are working in my corporate network. That's not the way to piss of the IT department.

ungreased0675|5 months ago

I laughed really hard, this is fantastic.

kittikitti|5 months ago

This is really funny and gave me a great laugh. Thank you for sharing and making this tool.

dyauspitr|5 months ago

Ha I wish there were a less over the top mode though. Make them subtly sketchy.

bethekidyouwant|5 months ago

www.shadyurl.com was around 15 years ago. I guess its gone now.

Fokamul|5 months ago

Is there pizza index tracker for Calcutta?

And this madlad posts this at Friday.

GG HF, SOC people :D

jonathrg|5 months ago

It's a nice touch that the buttons are styled like ads.

amelius|5 months ago

Great for pen-testing your parents and grandparents.

rurban|5 months ago

My browser (Fennec) blocked the phishy URL, great.

Groxx|5 months ago

finally, a worthy successor to shadyurl

roguas|5 months ago

i seriously hate my it dept attempts, they send you a link, you click, boom you have to enroll to a training

im sry, did i miss the part on how you can hack someone by simply sending them the link? is the web seriously that bad? honestly at least do full job and create some phishing website that goes along, otherwise wtf?

southernplaces7|5 months ago

This was the best damn belly laugh I've had all week. Ahh. Thanks for that.

"Just fuck me up fam!"

You had me spraying coffee by that point

All the funnier trying it with links to community church services (baptist no less).

SoKamil|5 months ago

Am I the only one who thinks .xyz domains are sketchy?

Google uses it for its Alphabet Investor Relations site: http://abc.xyz

mig4ng|5 months ago

This is hilarious! Make the accordion of selection always open please.

artursapek|5 months ago

That is fucking hilarious