Researchers have identified a never-before-seen method for sneaking malicious links into email inboxes. A novel form of phishing takes advantage of a disparity between how browsers and email inboxes read web domains.
According to a Monday report by Perception Point, the clever trick takes advantage of a critical difference in how email inboxes and browsers read URLs.
An “@” symbol in the middle of a regular link was used by the attacker. It was mistakenly interpreted as a comment because of security filters, but browsers correctly interpreted it as a genuine web domain. As a result, phishing emails skirted security, but when targets clicked on the link, they were taken to a fraudulent landing page instead.
An Unsuccessful Phishing Attempt
On May 2, the Perception Point published an alert from the incident response (IR) team regarding a maliciously designed phishing email seeking to pass itself off as a Microsoft notification. “You have new 5 held messages,” it read, directing the recipient to follow a “Personal Portal” hyperlink.
The link is directed to a website that appears to be a login screen for Outlook. The hacker’s design choices were once again poor, with the domain name for this purported Outlook page being “storageapi.fleek.co,” followed by a long string of random characters. In theory, if a user had missed all of these warning signs and provided their Microsoft credentials, those data would’ve been sent to the attacker.
So, what’s the answer to the riddle of how such a low-effort phishing attempt got past email security filters, which are trained to spot far more sophisticated frauds? It was in the email link.
A bit of background on links
Stop for a second and open up a new browser window. In the address bar, enter “https://” followed by whatever string of characters you wish. Then type an @ symbol before the web domain you want (for example, https://en.wikipedia.org/).
Depending on what browser you’re using, that text before the @ will either return an error message or disappear without a trace. Why?
If you’re using a browser that supports this functionality, the site will immediately send authentication data to the website you want to visit. The syntax is as follows:
This feature, known as domain wildcarding, allows you to set a parameter that causes the browser to look for any appearance or content in a domain. Browsers that support this functionality will interpret the string following the @ sign as login credentials. Browsers that don’t support it will simply ignore the line and go on to execute whatever comes after it. The domain after the @ sign is where you’ll be going no matter what. In January, Microsoft discontinued this function from Internet Explorer because hackers could utilize it to disguise harmful sites as legitimate ones.
For example, the following URL appears to open http://www[.]wikipedia[.]org but in reality opens http://example.com:
As a result, we may use it in the browser’s address bar as follows: This is how you might send an HTML email message to their inbox. The @ sign at the start and end of the link tells e-mail applications that it’s an HTML document.
It is well known that e-mail security systems will overlook an @ sign in the text of an email, and it has been used lawfully on numerous occasions. For example, it may be used to address user information within the message’s body. As a result, according to many findings, most e-mail detection technologies cannot identify this address as a URL” and instead interpret it as a comment.
The @ symbol is a cover: it’s a comment to an e-mail security filter, but underneath it’s a regular old malicious link.
Despite the fact that this particular campaign failed, given how straightforward it is to execute, the technique has a good shot of catching on rapidly. At least as a proof of concept, it showed promise. Security teams need to update their detection engines to double-check URL structure when the @ character is included to identify the method and avoid its repercussions slipping past security systems.