Phishers regularly changes their tactics, techniques and procedures and create more convincing scams to trick employees into disclosing sensitive information or installing malware on their computers. One novel tactic that was first observed in the fall of 2020 involved the use of malformed URL prefixes. Over the following months, the number of emails sent with these atypical URL prefixes grew, and according to GreatHorn researchers, the volume of these messages increased by almost 6,000% in the first month of the year.

URLs start with either HTTP:// or HTTPS://, which are the standard URL protocols. While end users may check to see if the URL starts with HTTP or HTTPS to determine whether the connection to the website is encrypted, they may not notice or be overly concerned about what comes after the colon. That is also true of certain security solutions and browsers, which also do not check that part of the URL.

The new tactic sees one of the forward slashes swapped with a backslash, so HTTPS:// becomes HTTP:/\ and it is enough of a change to see phishing emails delivered to inboxes. This tactic has been combined with another tactic that reduces the chance of the link being identified as malicious. The URL linked in the emails directs the user to a web page that includes a reCAPTCHA security feature. This feature will be known to most internet users, as it is used by a great deal of websites and search engines to distinguish between real users and robots.

The challenge must be passed for a connection to the website to me made. Having this security feature helps to convince the visitor that they are arriving on a legitimate site, but it also stops security solutions from assessing the content of the site. If the user passes the reCAPTCHA challenge, they are then redirected to a different URL that hosts the phishing form.  That webpage very closely resembles the login prompt of Office 365 or Google Workspace, with this campaign mostly targeting Office 365 credentials.

Since this new tactic is now proving popular it is worthwhile incorporating this into your security awareness training sessions to make employees aware of the need to check the URL prefix, and also add a rule in SpamTitan to block these malformed URLs.