ACG-CYBER SECURITY BULLETIN NR 393: Legacy Reputation URL Evasion (LURE): A Smart Scam Hidden in Safe Links

Posted on May 30, 2025

Reference Number ACG-CSB 052025393

The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG) and classified as “Restricted” pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.

SUMMARY

Cyber Threat Actors are always coming up with new ways to trick people. One of the smarter scams today is called Legacy Reputation URL Evasion, or LURE. This technique hides dangerous content behind a link that looks completely safe. At first, the link shows something harmless, so it gets past security checks. But later, the content changes, and what once looked normal turns into something harmful like a fake login page designed to steal passwords.

Here’s how it works: A scammer sends a link that points to a popular and trusted website, like a file-sharing or storage service. At first, the link opens a clean page, maybe a simple document or a blank file. Since the website is well-known, most filters and antivirus tools don’t block it. But after some time, the scammer changes what’s behind the link, switching it to a fake website or a page that tries to trick people into typing in their personal information.

For example, a person working in a company, such as someone in finance or administration, might receive a link to a file stored in a cloud storage service. When they open it the first time, it shows a normal or legitimate file, so it appears safe and nothing seems unusual. Since the email comes from a trusted coworker, the person continues with their work, thinking it is a routine task. But later, when they click the same link again, perhaps to double-check details or forward it to another colleague, it leads to a fake login page that looks just like their company’s official system. If they type in their username and password, that information is secretly sent to the scammer. The link hasn’t changed in appearance; it still shows the same web address and looks like it points to the same file. However, the content behind it has been quietly replaced. Now, instead of a harmless document, it leads to a trap designed to steal credentials. Because everything looks normal on the surface, employees may not realize anything is wrong until it’s too late, making this tactic especially dangerous in business settings.

In a real-world scenario, a cybercriminal secretly hacks a bank employee’s email account and sends a message that looks normal, asking a coworker to check a file using a trusted link. At first, the link opens a harmless document, so it doesn’t raise any red flags. Because the message comes from someone they know, no one thinks anything is wrong. Later, the Cyber Threat Actor changes what’s behind the link to a fake login page that looks just like the bank’s real system. When the coworker clicks the link again and types in their username and password, they steal that information. With those details, they can get into the bank’s system to steal money or sensitive data, without anyone noticing right away.

This works so well because many security systems only check a link once, when it’s first seen. They don’t keep checking the link every time it’s clicked. Also, since the website behind the link is trusted, people feel safe clicking it again. This combination of trust and timing makes LURE a very effective trick.

To avoid falling for this kind of scam, it’s important to be careful with any link, even ones that look familiar. Security tools that check links every time they’re opened can help. And if a link suddenly asks for a password when it didn’t before, that could be a warning sign of something suspicious. Free tools typically scan links only once, making them blind to these delayed changes. Premium security tools are essential because they offer real-time link scanning, behavioral analysis, and time-of-click protection, detecting when a once-safe link becomes dangerous. Without these advanced features, LURE attacks can easily bypass defenses, steal credentials, and cause serious damage, making premium protection not just helpful, but necessary.

RECOMMENDATION

The public is advised to follow these tips to avoid being a victim of scam hidden in safe links attacks:

Don’t trust a link just because it worked before. A link that looked safe earlier can change later. Always double-check it before clicking again;
Avoid logging in through shared links. If a link suddenly asks for a username or password, close it. Instead, go directly to the official website;
Use real-time link scanning tools. Choose email or web protection that checks links every time they’re clicked, not just once;
Look out for new behavior in old links. If a link starts showing a login form or redirects to a different page than it did before, it might be a trap;
Turn on two-step verification (2FA). Even if a password is stolen, two-step verification helps stop someone from getting in; and
Don’t download files from links that change. If a file download link starts asking for a login or takes longer than usual to load, it might be dangerous.

For additional information, please refer to the following websites:

https://www.anomali.com/glossary/lure-legacy-url-protection-evasion
https://www.menlosecurity.com/what-is/highly-evasive-adaptive-threats-heat/legacy-reputation-url-evasion

POINT OF CONTACT

Please contact PLTCOL JERRY V EMPIZO, Acting Chief, Cyber Security Unit, thru e-mail address csradacgroup@gmail.com or contact us by telephone number (632) 723-0401 local 7488 for any inquiries related to this CYBER SECURITY BULLETIN.