Attackers would no longer be able to exploit application vulnerabilities by mass e-mailing poisoned hyperlinks because the links would be broken and invalid by the time the messages reached their intended victims. An automatically expiring URL can still be exploited by an attacker with access to a Web server of his own. Instead of sending out malicious hyperlinks that point directly to the vulnerable page, he can send out hyperlinks to his own site. When his site gets a hit from one of the phished e-mails, it can contact a vulnerable site to obtain a valid time stamp and then redirect the user accordingly.
Source: https://threatpost.com/protect-your-site-url-rewriting-022709/72363/