Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

SaaS App Vanity URLs Can Be Spoofed for Phishing, Social Engineering

Vanity URLs offered by SaaS applications can be spoofed by malicious actors for phishing and social engineering, according to data security and analytics company Varonis.

Vanity URLs offered by SaaS applications can be spoofed by malicious actors for phishing and social engineering, according to data security and analytics company Varonis.

Varonis researchers have analyzed the vanity URLs for Zoom, Box and Google services, and found that they can all be — or could have been before fixes were implemented — abused for malicious purposes.

A vanity URL is a personalized URL that makes it easier to remember links to files, landing pages and other resources. For example, the URL can be personalized to A vanity URL could also seem more trustworthy to users.

However, Varonis researchers found that SaaS applications often only validate the URI — the “/s/1234” part in the above example — but fail to validate the vanity URL’s subdomain. An attacker can abuse this by changing the subdomain in a link generated by their own SaaS accounts.

For example, in the case of file sharing URLs generated by the Box content management app, a custom subdomain can be used — such as — to share and access documents. While this feature is only available to business-level plans, Varonis found that the generic link that can be created for file sharing by any user, which looks like<id>, could have been modified in some cases simply by prepending any company’s name and the link would still work.

An attacker, for instance, could have created a generic file sharing link and modified it to look like<id>. A link with such a name pointing to a file that instructs an employee in a company’s financial department to make a payment to a specified bank account is more likely to succeed than a random link.

The same method worked with public file request URLs from Box, which could have been used to lure people to phishing forms that instruct victims to hand over personal and financial information.

In the case of Zoom, Varonis tested the method with vanity URLs for meeting recordings and webinar registrations. An attacker can generate a link pointing to malicious content and modify it to, for example. In the case of webinar registration links, the attacker can abuse legitimate Zoom functionality to collect information from victims by requiring their data to register to the supposed webinar. The data requested during registration can be customized.

Spoofed Zoom vanity URL

This is not the first time researchers have looked at abusing Zoom’s vanity URLs. Check Point conducted a similar analysis back in 2020, but that focused on join meeting URLs, while Varonis has focused on webinar registration and meeting recording URLs.

Zoom users may see a warning when clicking on such links, but the researchers pointed out that people often click through these types of alerts without giving it too much thought.

Google does not offer a vanity URL feature, but Varonis discovered that links to a Google Form or Docs document can be modified to look like

Spoofed Google Docs vanity URL

Varonis reported its findings to affected vendors and they all implemented patches or mitigations. According to the cybersecurity firm, Box now prevents URL manipulation, Zoom still allows spoofing, but a warning is displayed to the user, and Google has taken steps to address the issue, but spoofing is still possible for Forms and Docs that use the “publish to web” feature.

Zoom and Google also paid out bug bounties, but Varonis is not disclosing the amounts.

“Vanity URLs exist in many SaaS applications and are not limited to just Box and Zoom,” said Tal Peleg, a senior security researcher at Varonis. “We recommend educating your coworkers about the risk associated with clicking on such links and especially submitting PII and other sensitive information via forms, even if they appear to be hosted by your company’s sanctioned SaaS accounts.”

Related: Microsoft Warns of Spoofing Vulnerability in Defender for Endpoint

Related: Google to Run Experiment in Fight Against URL Spoofing in Chrome

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.