In 2024, threat actors were already abusing URL rewriting mechanisms in phishing campaigns to mask malicious domains. Between the second and fourth quarters of 2025, LevelBlue SpiderLabs identified a notable escalation in this tactic, with adversaries deliberately constructing multi‑layered URL rewriting as redirectors, chaining together multiple trusted providers to further obscure the final malicious domain and evade traditional email security controls.