In a newly seen phishing campaign, malicious actors have exploited URL manipulation techniques to obfuscate their malicious links, compromising businesses and individuals worldwide.
Check Point researchers identified a whopping 200,000 phishing emails abusing URL information to hide phishing links, with the first instance recorded on 21 January. The campaign is still active but has shown a gradual decline in the volume of daily threats.
Who’s in the Crosshairs?
The US has been the favored target of these attacks, making up three-quarters (75%) of the email distribution. EMEA region follows with 17%, and Canada has 5% of the total attack volume.
Unlike previous phishing campaigns targeting specific industries, this one appears indiscriminate, putting enterprises across multiple sectors at risk.
Sophisticated URL Manipulation
The malefactors use sophisticated URL manipulation techniques in standard phishing emails—such as fake invoices, payment receipts, and account activation notices—to fool recipients. Their main tactic sees them exploiting the “user info” section of a web address, the segment between “http://” and the “@” symbol (such as https://username:password@example.com).
Considering that most websites ignore this section, bad actors insert misleading information before the “@” symbol in an attempt to conceal the true nature of the link.
To enhance their deception, attackers also leverage a slew of obfuscation techniques, including:
- URL-encoding with multiple characters.
- Redirecting through seemingly legitimate websites.
- Placing the actual malicious URL immediately after the “@” symbol.
- Auto-populating phishing login forms with victims’ email addresses.
Victims who click on these links are redirected to a carefully crafted Microsoft 365 phishing site. To add another layer of apparent legitimacy, they have integrated CAPTCHA verification, a social engineering trick that relies on users’ trust in these security mechanisms.
This campaign illustrates how phishing attacks are growing more sophisticated each day. Even with security awareness training, the majority of email users wouldn’t find identifying this deception easy.
Traditional URL inspection methods are not working against these evolving scourges, increasing the risk of credential theft across entities in every sector.
An Ounce of Prevention
Security experts recommend several measures to protect against these campaigns:
- Update Redirection Rules: Enterprises should enforce strict rules on site and application redirections to stop abuse.
- Regular Patching: Keeping all software, including email clients and web browsers, up to date limits vulnerabilities for attackers to exploit.
- Implement Advanced Email Security: Using AI and machine learning-driven email security solutions can help pinpoint and block cunning phishing attempts.
What Lies Ahead?
Security practitioners should look at this campaign as a clear sign of evolving phishing threats and should transition from user-dependent security tools to automated, AI-driven threat prevention systems.
Also, businesses should consider reassessing traditional email authentication frameworks, potentially enhancing protections beyond SPF, DKIM, and DMARC protocols.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
