Phishing Attacks Detected Using Malformed URL Prefix

A new phishing campaign has been detected that uses malformed URL prefixes to bypass email security solutions and fool individuals into disclosing their login credentials.

The novel tactic was identified by researchers at GreatHorn. Rather than use the standard URL protocols HTTP:// or HTTPS:// the domain linked in the phishing email used HTTP:/\ (forward slash/backslash).

The researchers first identified this tactic being used in phishing attacks in October 2020. The number of phishing attacks using these malformed URL prefixes increased by 5,933 percent between the first week of January and the first week of February.

The campaigns identified by the researchers have targeted employees in a wide range of industry sectors, although companies in the pharmaceutical, lending, construction, and cable industries have been targeted more than others, especially companies that use Office 365.

The campaigns targeting Office 365 credentials direct email recipients to a Microsoft Office 365 login page that is almost identical to the genuine login page.

One of the campaigns identified by the researchers involved emails that appeared to be notifications about voicemail messages that spoofed the targeted company’s internal email system to make it appear that the messages were genuine.

The email included a link that the user must click to play the message, which directed them first to a URL that had a reCAPTCHA security challenge to prevent security solutions from identifying the malicious URL. After completing that challenge, the user is then redirected to the phishing page.

To help employees detect phishing scams, many businesses provide security awareness training and condition their employees to inspect URLs before disclosing any sensitive information. While employees are getting better at identifying misspellings and malicious domains, they may not recognize a malformed URL prefix, which is often not displayed in the browser. Many email security solutions also fail to inspect the URL prefix so would not identify the URL as malicious.

The researchers advise security teams to search their email environments for any email messages that contain URLs with the http:/\ prefix and delete the messages. Users of the GreatHorn Email Security platform will be automatically protected from phishing campaigns using this tactic.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of