Threat actors are using Google’s URL decoding of non-ASCII URL data for URL encoding-enabled phishing attacks that hide the destination of malicious email links according to researchers, bypassing secure email gateways.
https://twitter.com/DaveG_Tripwire/status/1177346550214856704
Phishing is a revenue generation engine, and since email gateways have become more aware of phishing content by using cloud intelligence, IP and website reputation (or even attachment scanning), it means that much of the phishing content is either rejected or pushed straight to SPAM/JUNK folders. So we had to expect that it would get more intelligent, in an attempt to evade perimeter security. This attack method is not new. It is similar to more basic attacks that surround a URL with HTTP codes to obfuscate it. It’s phishing content that’s hiding in plain sight and relying on users to see a jumble of letters so that they just click.
We will see gateways adapt to block this type of content, but until that’s commonplace, it’s imperative to educate users to watch for this. My advice is to never actually click a link in an email – simple as that. If you get an email asking to validate credentials, confirm an order or check a process then manually go to the website, manually login and perform the process that way. This may mean that you login to a site for no reason at all, but it also ensures that if it is a phishing attempt, you do not give away personal or business information.
Email gateways have matured enough to perform dynamic content inspection: a URL in an email link is scanned at the time of receipt of the email, then rewritten to go through the email security provider’s cloud for yet another inspection when the user clicks on it. The problem with any active scanning of URLs in emails is that the security vendor cannot trigger any downstream action. If the resulting page asks for acceptance of usage terms, the security solution cannot click to accept for you and, therefore, it is blind to what page lies behind this gate. This phishing technique attempts to create such a gate using a Google standard redirect notification. I suspect this is safe enough for email security gateways to recognize and bypass very soon.