Email API
Calendar API
Contacts API 
Scheduler
Notetaker API
Google email & calendar integration
Outlook email & calendar integration
IMAP integration
Google Meet integration
Zoom integration
Microsoft Teams integration
Docs
SDKs
Tutorials
API status
Changelog
Support
Blog
Events
Guides
Inspiration gallery
Build vs. buy
Customer stories
Security & Compliance
Why Nylas
Newsroom
Detecting and preventing phishing abuse in email tracking links
• 3 min read
Platforms that enable communication workflows, such as email APIs, link tracking, and email tracking, are a core part of many modern applications. At the same time, these systems can attract bad actors attempting to add credibility to phishing campaigns and obscure malicious intent.
At Nylas, we continuously monitor for and respond to misuse of our platform as part of our normal security operations. In this post, we share how these patterns show up in practice and how we approach detecting and addressing abuse of trusted communication infrastructure.
Phishing campaigns often rely on trusted services to make malicious content appear more legitimate and harder to detect. One common technique is to take a phishing destination URL and wrap it in a trusted redirect or tracking link.
In practice, this makes it harder to see where a link ultimately leads. It can also help malicious links bypass basic filtering controls, while increasing the likelihood that recipients will trust and interact with them.
This pattern is not unique to any one provider. It is a broader challenge across platforms that offer link tracking or redirect service, or email engagement analytics.
In reviewing activity across our platform, along with a recently reported phishing campaign targeting Outpost24, we identified third parties creating accounts and generating Nylas tracking links that redirect to phishing destinations.
This type of behavior typically involves taking an existing phishing URL and rewriting it as a trusted tracking or redirection link. By obscuring the final destination, attackers increase the likelihood of engagement and reduce visibility into malicious intent.
The actions we observe in these cases tend to follow a consistent pattern. It often starts with the creation of an account that shows little to no legitimate usage, followed by the rapid generation of tracking-enabled links.
The resulting activity is inconsistent with how the platform is designed to be used in production environments. These links are then incorporated into phishing workflows to increase credibility and evade detection.
Once this activity was identified, we reviewed the associated accounts and traffic patterns, disabled the relevant accounts, and invalidated the tracking links.
We also analyzed related signals to determine similar patterns and are implementing additional mitigations where appropriate.
Preventing misuse of trusted infrastructure requires a layered approach that combines automated detection with manual investigation.
In practice, this includes:
As attacker techniques evolve, we adapt our systems and processes to reduce the effectiveness of these patterns and strengthen protections across the platform.
Addressing phishing activity like this is an ongoing effort across the ecosystem. We value working with researchers, customers, and other platforms to better understand emerging patterns and improve collective defenses.
If you’re seeing similar actions or would like to connect, we welcome the conversation.
Building security by design is crucial, especially for startups and small businesses, where resources are…
In a time where cyber threats are increasingly sophisticated and frequent, fostering a security-first culture…
At Nylas, our information security team took action to investigate the Log4j vulnerability and found that our codebases were not impacted. As the incident unfolds, see how Nylas responded to identify the impact and protect customer data.
Staff Security Engineer
