Weaponizing Safe Links: Abuse of Multi-Layered URL Rewriting in Phishing Attacks

This report explains how threat actors are increasingly abusing trusted URL‑rewriting services to build multi‑vendor, multi‑layer redirect chains that obscure final phishing destinations; PhaaS frameworks like Tycoon2FA and Sneaky2FA use these chains to perform AiTM MFA bypasses, enabling account takeover and downstream BEC, data exfiltration, and ransomware. The document provides case studies, observed vendor chains, sample IOCs, and recommends defenses including behavioral detection, phishing‑resistant MFA, continuous monitoring, and user training.