Connect with us

Hi, what are you looking for?


Application Security

SaaS App Vanity URLs Can Be Spoofed for Phishing, Social Engineering

Vanity URLs offered by SaaS applications can be spoofed by malicious actors for phishing and social engineering, according to data security and analytics company Varonis.

Vanity URLs offered by SaaS applications can be spoofed by malicious actors for phishing and social engineering, according to data security and analytics company Varonis.

Varonis researchers have analyzed the vanity URLs for Zoom, Box and Google services, and found that they can all be — or could have been before fixes were implemented — abused for malicious purposes.

A vanity URL is a personalized URL that makes it easier to remember links to files, landing pages and other resources. For example, the URL can be personalized to A vanity URL could also seem more trustworthy to users.

However, Varonis researchers found that SaaS applications often only validate the URI — the “/s/1234” part in the above example — but fail to validate the vanity URL’s subdomain. An attacker can abuse this by changing the subdomain in a link generated by their own SaaS accounts.

For example, in the case of file sharing URLs generated by the Box content management app, a custom subdomain can be used — such as — to share and access documents. While this feature is only available to business-level plans, Varonis found that the generic link that can be created for file sharing by any user, which looks like<id>, could have been modified in some cases simply by prepending any company’s name and the link would still work.

An attacker, for instance, could have created a generic file sharing link and modified it to look like<id>. A link with such a name pointing to a file that instructs an employee in a company’s financial department to make a payment to a specified bank account is more likely to succeed than a random link.

The same method worked with public file request URLs from Box, which could have been used to lure people to phishing forms that instruct victims to hand over personal and financial information.

Advertisement. Scroll to continue reading.

In the case of Zoom, Varonis tested the method with vanity URLs for meeting recordings and webinar registrations. An attacker can generate a link pointing to malicious content and modify it to, for example. In the case of webinar registration links, the attacker can abuse legitimate Zoom functionality to collect information from victims by requiring their data to register to the supposed webinar. The data requested during registration can be customized.

Spoofed Zoom vanity URL

This is not the first time researchers have looked at abusing Zoom’s vanity URLs. Check Point conducted a similar analysis back in 2020, but that focused on join meeting URLs, while Varonis has focused on webinar registration and meeting recording URLs.

Zoom users may see a warning when clicking on such links, but the researchers pointed out that people often click through these types of alerts without giving it too much thought.

Google does not offer a vanity URL feature, but Varonis discovered that links to a Google Form or Docs document can be modified to look like

Spoofed Google Docs vanity URL

Varonis reported its findings to affected vendors and they all implemented patches or mitigations. According to the cybersecurity firm, Box now prevents URL manipulation, Zoom still allows spoofing, but a warning is displayed to the user, and Google has taken steps to address the issue, but spoofing is still possible for Forms and Docs that use the “publish to web” feature.

Zoom and Google also paid out bug bounties, but Varonis is not disclosing the amounts.

“Vanity URLs exist in many SaaS applications and are not limited to just Box and Zoom,” said Tal Peleg, a senior security researcher at Varonis. “We recommend educating your coworkers about the risk associated with clicking on such links and especially submitting PII and other sensitive information via forms, even if they appear to be hosted by your company’s sanctioned SaaS accounts.”

Related: Microsoft Warns of Spoofing Vulnerability in Defender for Endpoint

Related: Google to Run Experiment in Fight Against URL Spoofing in Chrome

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...