Security researchers have discovered 200.000 phishing emails that misused URL information to disguise phishing links. The scam was first observed on January 21, 2025, and is still ongoing, although the daily threat volume is decreasing.
The cybercriminals behind this campaign aim to target as many organizations and individuals as possible. The hackers don't appear to be targeting specific industries, so a wide range of companies could be targeted unless they have an advanced email security solution in place.
Because the operational mechanisms of this campaign are quite sophisticated, most email users may not be able to recognize the threat despite security training. As a result, companies are exposed to the risk of credential theft.
How the attack works
The perpetrators use sophisticated URL manipulation techniques in standard phishing emails, such as fake invoices or tickets, payment receipts, subscription renewals, or account activation notifications. Their main deception method exploits the "userinfo" part of web addresses – the segment between "http://" and the "@" symbol (e.g., https[:]//username[:]password@example[.]com).
Since most websites ignore this field, attackers can insert misleading information before the "@" symbol to disguise malicious links. To further enhance their deception, attackers can use several techniques in combination:
- Multi-character URL encoding.
- Redirection through seemingly legitimate redirects.
- The actual malicious URL is inserted immediately after the “@” symbol.
- Encrypting victims' email addresses to automatically fill out fake registration forms.
The final payload delivers a carefully crafted phishing page that mimics Microsoft 365, complete with a CAPTCHA implementation—a social engineering trick that exploits users' learned trust in security mechanisms like CAPTCHA, designed to distinguish authentic users from bots. This sophisticated interplay of technical deception and psychological manipulation demonstrates why traditional URL verification training is increasingly insufficient against modern phishing campaigns.
For protection
- Update redirection rules: If a website or application allows redirection, security professionals should ensure that your organization establishes strict rules regarding where redirects can lead, following current best practices.
- Patch and update systems regularly. All software, including email clients and web browsers, should be kept up to date with the latest security patches. This prevents cybercriminals from exploiting various vulnerabilities that can be used to launch phishing attacks.
About check point Check Point Software Technologies GmbH (www.checkpoint.com/de) is a leading provider of cybersecurity solutions for public administrations and companies worldwide. The solutions protect customers from cyberattacks with an industry leading detection rate for malware, ransomware and other types of attacks. Check Point offers a multi-level security architecture that protects company information in cloud environments, networks and on mobile devices, as well as the most comprehensive and intuitive “one point of control” security management system. Check Point protects over 100.000 businesses of all sizes.