Zero Trust Is Broken at the URL — And That’s Where Most Attacks Begin (Phishing)

Under OMB Memorandum M-22-09, the U.S. Government is pushing to implement Zero Trust: every user must prove who they are, every device must show it’s healthy, every app must be authorised, and every connection verified.

The Zero Trust security market was valued at $36B in 2024 and is projected to reach $124B by 2032 — more than tripling in eight years. It’s big business because it’s the gold standard in cybersecurity.

🚨 But there’s one critical gap: web links.

Even in advanced Zero Trust environments, URLs are still trusted by default — leaving agencies, businesses, and the public exposed, no matter how strong the controls around identity, devices, apps, or networks.

💡 Until URLs are verified before anyone can click or share, Zero Trust remains dangerously incomplete.

The Core Problem: What Zero Trust Misses

Zero Trust means no assumptions — everything must prove legitimacy before access is granted.

But the most exploited entry point — URLs — has been excluded.

Legacy defences like Protective DNS and threat feeds try to block links after they’ve already been used. But by then, it’s too late.

Smart attackers use domains with no history, launch campaigns, and sail past filters into inboxes, SMS, and browsers.

And it’s not just about fake domains. Many phishing campaigns use links hosted on trusted websites like play.google.com, GitHub.com , Dropbox.com, and DocuSign.com. These URLs lead to fake accounts or apps that appear legitimate — but have randomised structures no system can reliably detect. AI can’t flag what has no pattern or history. The links look clean, and the scams succeed.

That’s why detection-based security fails. Even the best Zero Trust setups still trust links by default.

Which is exactly what attackers exploit.

Why URL Verification Is the Missing Piece

Phishing — not malware, zero-days, or misconfigurations — remains the #1 cause of cyberattacks. A single click on a realistic link can compromise an entire organisation.

💡 90% of successful attacks start this way.

The industry keeps chasing “known bad” URLs. But once flagged, the damage is already done. This isn’t user error — it’s system failure.

True Zero Trust flips the model:

A link must prove it’s safe before it’s delivered, shared, or opened.

What Zero Trust for URLs Looks Like

MetaCert pioneered Zero Trust URL Authentication — the first preventative security model for web links. Instead of reacting to threats, it verifies every URL before it can be delivered, opened, or shared.

It might sound surprising to hear this came from a lesser-known company, but MetaCert has a long history of being early. It pioneered mobile, app, and team collaboration security — with a patent portfolio now licensed by nearly every major tech firm. Unfortunately, it was ahead of the market each time, forced to pivot channels before they matured into multi-billion-dollar cybersecurity categories.

But with SMS, timing is no longer an issue. Everyone now understands that SMS links can be dangerous — yet for reasons no one can explain, no major security vendor has stepped in to help carriers protect people from phishing. MetaCert is still the only one offering a real solution. And it works. It’s the first major implementation of zero trust for url authentication.

In SMS infrastructure:

• URLs are extracted at the carrier level and checked against a real-time allow-list API.
• Safe links pass through untouched.
• Unverified links are blocked or rewritten to a warning page — stopping phishing before it reaches people.

Live-tested inside a national mobile network — fully integrated, independently validated, and confirmed as the only solution to meet all technical, operational, and performance requirements.

Zero Trust SMS was trialled across 100% of national SMS traffic — every message sent to and from citizens, businesses, hospitals, and government agencies. Over six months, the system passively intercepted real-time banking, 2FA, and delivery messages.

In telecom, a live trial at this scale only proceeds after full technical, legal, and commercial due diligence. Everything was approved. The only delay in deployment is regulatory — not technical.

🛡️ Attackers can’t bypass it. If a link fails verification, it never reaches the victim.

Why It Matters Now: SMS Is the #1 Phishing Channel

🚨 SMS is now the most targeted — and least protected — phishing channel.

In 2024, ProofPoint confirmed that SMS overtook email as the leading phishing vector on mobile. At the same time, 83% of all new phishing sites were built for mobile.

Until URLs in SMS are verified before delivery, phishing will keep getting through — regardless of how secure your apps, devices, or networks are.

The Future: From Reactive to Preventative Security

The block-list model is broken. It’s time to move forward.

The future is allow-lists — positive security:

• Verification before delivery, share or click
• Unknown = unsafe by default
• No trust without proof

This removes blind trust and forces attackers to work harder.

What the Federal Strategy Must Add

If agencies and vendors are serious about Zero Trust, they must:

1. Mandate allow-list verification for all URLs across email, SMS, and messaging platforms.
2. Treat threat intelligence as secondary — not the first line of defence.

🚨 Until URLs are verified like identities, devices, apps, and network data, Zero Trust remains incomplete — and the biggest attack surface stays wide open.

⏰ The time to fix it is now.