Perception Point Detects New URL Detection Evasion Using Optional Userinfo Subcomponent

May 2022 by Marc Jacob

Over the past 24 hours, the incident response team at Perception Point, the Prevention-as-a-Service company combatting content-borne attacks across the web and communication channels, has uncovered a novel form of malicious URL detection evasion using the optional userinfo subcomponent.

This new evasion technique is based on URLs containing strings of lesser-used characters or unusual sequences which are inserted into emails. Because of the presence of these rarely-spotted symbols, email detection platforms do not identify these sequences as URLs, meaning that attackers are able to hide in plain sight and any email recipient could easily click on the text and be redirected to fictitious sites. Web browsers do recognize these links as URLs and will open them automatically, so email recipients can be caught out and unwittingly enter suspicious websites. In one of the cases found by Perception Point, a malicious URL led to a fake Microsoft log-in page.

URL detection evasion based on the optional userinfo subcomponent has the potential to evade existing anti-phishing tools and divert swathes of email users to malicious websites. Perception Point’s IR team instantly recognized this evasion tactic across multiple organizations, but the threat remains present and defensive measures must be taken imminently.