Researchers at Perception Point recently flagged an email that was able to pass through spam filters using a specialty crafted URL, even though the intent of the email was to steal a victim’s Microsoft credentials. The threat actor was taking advantage of how email filters and browsers read the “@” character differently when analyzing a URL or email. Most email filters will ignore text before and after an “@” symbol as they are commonly used within email for legitimate reasons. Alternatively, when reading an “@” symbol in an URL, browsers will assume that anything before the symbol includes credentials, and anything after is the website trying to be accessed. For example, http(s)://username[:]password[@]example.com would attempt to use a username and password to access example.com, and if no credentials were needed, the website itself would be accessed. By using a URL that was made up of a random string of characters followed by an “@” symbol and then the phishing page, the threat actor was able to bypass email filtering and trick victims into going to a spoofed webpage that stole their credentials.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in