Skip to content

New malformed URL phishing technique can make attacks harder to spot

Hackers are now sending messages that hide fake links in the HTTP prefix, bypassing email filters, says security firm GreatHorn.


Getty Images/iStockphoto

Email security company GreatHorn is warning of a new form of phishing attack that makes malicious messages more likely to get through filters and harder for the average person to detect by sight. By hiding phishing information in the prefixes of URLs, attackers can send what looks like a link to a legitimate website, free of misspellings and all, with a malicious address hidden in the prefix of the link.

More about cybersecurity

Email scanning programs, GreatHorn said in a blog post, aren’t configured to detect these kinds of attacks because they don’t fit known bad criteria. These attacks were first detected by GreatHorn in October 2020, and have rapidly become a serious threat: Between the first week of January 2021 and early February 2021, the volume of attacks using malformed URL prefixes increased by 5,933%. 

Prefixes are a fundamental part of URLs, and encompass the web protocol that the link will be used to connect, such as HTTP, HTTPS, FTP, and others. Typically, a prefix ends with a colon and two forward slashes (e.g., http://). In the case of this new trick, attackers are dropping the second forward slash in favor of a backslash (e.g., http:/\), and then stuffing a malicious URL into the prefix before putting in the legitimate domain name, which is treated as additional subdirectories of the malicious page—perfect for crafting a phishing website. 

SEE: Identity theft protection policy (TechRepublic Premium)

“Browsers are forgiving and assume you meant to do ‘//’ when you accidentally type ‘/\’ , so they ‘fix’ it for you and automatically convert it to http:// which takes you to the destination,” said GreatHorn CEO Kevin O’Brien. 

“Cybercriminals can land malicious links in email into an inbox, and when someone clicks on it or copy-pastes it, even though it is malformed according to the spec, the browser helpfully takes you there anyway,” O’Brien said.

GreatHorn said it has detected these types of malformed URL attacks across all kinds of organizations, but pharmaceuticals, lending, contracting and construction management, and telecommunications have been most hard hit. In addition, organizations running Office 365 have been targeted more frequently.  

The attack began in October with phishing attempts mimicking voicemail messages delivered through email, a tactic that has been common and successful for several years. Since then, GreatHorn said, the malformed URL prefix attack has started using new tactics, such as:

  • Spoofing display names to fool users into thinking the email is internal,
  • Using unknown domains and senders to trick filters that look for known-bad actors,
  • Payloads containing links using open redirector domains, 
  • Urgent messages intended to trick users into rushing into a mistake.

An example phishing email link included in the blog post demonstrates how a fake voicemail message email tricks users into handing over their Microsoft account credentials, complete with fake reCAPTCHA tests and auto-filled email addresses to lend the site more credibility. 

SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)

While this new attack is tricky and hard for users to detect, GreatHorn said there’s a relatively simple solution: Set email filtering to look for “http:/\” and remove all matches. While this may lead to false positives if someone makes a typo, an occasional mistake is worth having to resend a message when its individual and organizational security are on the line. 

Also see