A new phishing attack that makes malicious messages more likely to get through filters and harder for the average person to detect by sight. By hiding phishing information in the prefixes of URLs, attackers can send what looks like a link to a legitimate website, free of misspellings and all, with a malicious address hidden in the prefix of the link.

Email gateways aren’t configured to detect these kinds of attacks because they don’t fit known bad criteria. The volume of attacks using malformed URL prefixes increased by 5,933%. 

Prefixes are a fundamental part of URLs, and encompass the web protocol that the link will be used to connect, such as HTTP, HTTPS, FTP, and others. Typically, a prefix ends with a colon and two forward slashes (e.g., http://). In the case of this new trick, attackers are dropping the second forward slash in favor of a backslash (e.g., http:/\), and then stuffing a malicious URL into the prefix before putting in the legitimate domain name, which is treated as additional subdirectories of the malicious page perfect for crafting a phishing website. 

“Browsers are forgiving and assume you meant to do ‘//’ when you accidentally type ‘/\’ , so they ‘fix’ it for you and automatically convert it to http:// which takes you to the destination,” targets O365 mainly.

The malformed URL prefix attack has started using new tactics, such as:

  • Spoofing display names to fool users into thinking the email is internal,
  • Using unknown domains and senders to trick filters that look for known-bad actors,
  • Payloads containing links using open redirector domains, 
  • Urgent messages intended to trick users into rushing into a mistake.

While this new attack is tricky and hard for users to detect, there’s a relatively simple solution: Set email filtering to look for “http:/\” and remove all matches. While this may lead to false positives if someone makes a typo, an occasional mistake is worth having to resend a message when its individual and organizational security are on the line.