Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to intelligence
phishing-campaign-intelligenceidentity-impersonation-frauddetection-content-updateprivacy-surveillance-policy

Security Risks From Phishing URLs and Long-Lived SMS “One-Time” Links

Updated 2d agoFirst seen Jan 25, 20264 sources

1Password introduced a new anti-phishing UX control that displays pop-up warnings when users land on suspected phishing or typosquatted domains, addressing a gap where users might manually type credentials even when the password manager refuses to autofill due to a URL mismatch. The feature is enabled by default for Individual and Family plans, while enterprise admins can enable it via Authentication Policies in the 1Password admin console.

Separate academic/industry research highlighted systemic exposure risks from SMS-delivered “one-time” links that do not expire, enabling personal data access long after delivery. The study assembled a dataset from public SMS gateways (over 33M messages, 323K unique URLs, and 10.9K+ domains) to analyze how SMS link design choices can leak data over time; the article also notes broader threat trends where attackers increasingly use malicious URLs via SMS (smishing) and large-scale domain churn/brand impersonation to drive credential theft and fraud.

Share:
Security Risks From Phishing URLs and Long-Lived SMS “One-Time” Links
Stay ahead

Get ahead of threats like this

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.

EVENT TIMELINE

How this story unfolded

4 events from the most recent confirmed update back to the earliest known activity.

4 EVENTS
Jan 28, 20265mo ago

SC Media report adds details on weak SMS-link token security

A later report on the SMS sign-in link research highlighted that 125 services used weak tokens that could allow attackers to guess valid login links, and reiterated that many links remained active for months or years. It also emphasized backend overfetching of personal data and noted the true number of affected services may be higher than observed.

Jan 25, 20265mo ago

1Password launches phishing URL pop-up warnings

1Password announced a built-in feature that displays pop-up warnings when users visit suspected phishing or typosquatted sites, aiming to prevent manual credential entry on fake pages. The protection is enabled by default for individual and family plans, while enterprise administrators can enable it through Authentication Policies.

Jan 23, 20265mo ago

Researchers disclose SMS link issues to 150 affected services

After identifying the exposures, the research team reported the issues to 150 services. Only 18 responded and seven implemented fixes, indicating that many of the exposed services likely remained vulnerable.

Researchers identify widespread exposure from long-lived SMS sign-in links

A research study analyzing more than 33 million messages from public SMS gateways found that SMS-delivered magic links and sign-in URLs at 177 services often acted as bearer tokens, exposing personal data and enabling account access. The study identified 701 still-working endpoints, including some links dating back to 2019, and found weak token designs, overexposed backend data, and in some cases account takeover or editable personal-data forms.

LINKED ENTITIES

Related entities

Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.

10 LINKEDOpen in app
Affected products
5 linked
1password1passwordFacebookAndroidWindows
Organizations
5 linked
1passwordOktaMeta PlatformsMicrosoft CorporationTechRadar
The operational view lives in Mallory

See the full picture, correlated to your attack surface.

This page covers what’s public. Mallory adds the parts that aren’t — which of your assets are affected, which threat actors are using it right now, which detections to deploy, and what to do next.
Exposure mapping

Map indicators from this story to your assets and identify affected systems in minutes.

Threat actor evidence

Every observed campaign, victim, and pivot linked to actors named in this story.

Associated malware

Malware, exploits, and IOCs connected to the activity described here.

Detection signatures

YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.

Scheduled alerts

Get matching new stories delivered to your team as they break — not the next morning.

AI threads

Ask questions about this story and take action on the answers.