A novel form of phishing takes advantage of a disparity between how browsers and email inboxes read web domains.
Researchers have identified a never-before-seen method for sneaking malicious links into email inboxes.
The clever trick takes advantage of a key difference in how email inboxes and browsers read URLs, according a Monday report by Perception Point.
The attacker crafted an unusual link using an “@” symbol in the middle. Ordinary email security filters interpreted it as a comment, but browsers interpreted it as a legitimate web domain. Thus the phishing emails successfully bypassed security, but when targets clicked on the link inside, they were directed to a fake landing page nonetheless.
A Lame Phishing Attempt
On May 2, Perception Point’s incident response (IR) team flagged a hasily-designed phishing email trying to pass itself off as a Microsoft notice. “You have new 5 held messages,” it read, directing the recipient to follow a “Personal Portal” hyperlink.