Researchers at Perception Point recently flagged an email that was able to pass through spam filters using a specialty crafted URL, even though the intent of the email was to steal a victim’s Microsoft credentials. The threat actor was taking advantage of how email filters and browsers read the “@” character differently when analyzing a URL or email. Most email filters will ignore text before and after an “@” symbol as they are commonly used within email for legitimate reasons. Alternatively, when reading an “@” symbol in an URL, browsers will assume that anything before the symbol includes credentials, and anything after is the website trying to be accessed. For example, http(s)://username[:]password[@]example.com would attempt to use a username and password to access example.com, and if no credentials were needed, the website itself would be accessed. By using a URL that was made up of a random string of characters followed by an “@” symbol and then the phishing page, the threat actor was able to bypass email filtering and trick victims into going to a spoofed webpage that stole their credentials.
Now that this style of phishing attack has been successful, it has the potential to catch on very quickly. Security training for employees is very important, especially while waiting for filtering companies to update their detection engines to identify when a URL has an “@” symbol in it.