New Phishing Attack Identified: Malformed URL Prefixes


Top member
Windows 10 Chrome 88.0.4324.182
The offer in your email inbox from “”? Most people probably know not to click on that. (If there are people in your organization who don’t, forward them this blog post on identifying suspicious URLs.)

The latest tactic used by email phishing attackers doesn’t involve changing letters of the URL. In fact, it doesn’t change anything in the URL at all. This attack changes the symbols used in the prefix that goes before the URL.

The GreatHorn Threat Intelligence Team has identified a new email attack trend, where cybercriminals are able to bypass traditional URL defenses to attack end users. The URLs are malformed, not utilizing the normal URL protocols, such as http:// or https://. Instead, they use http:/\ in their URL prefix.

Cybercriminals understand the requirement of each of the URL components and all URLs can be broken into five (5) parts.

  1. Scheme: The Hypertext Transfer Protocol or HTTP (or could be ftp, mailto or git) to tell the web client how to access the resource. Also can be referred to as protocol.
  2. Host: The primary domain ( where the resource is hosted or located
  3. Port: A number :)00) used only if another port is desired outside the default.
  4. Path: The local resource being requested (optional).
  5. Query String: Information applied to send data about that unique visitor to the server (optional).
Because the colon and two forward slashes have always been used in the standard URL format, most browsers automatically ignore this factor, using the scheme and subsequent components to take a user to the final destination. In fact, in an article published by BBC News, “Sir Tim Berners-Lee, the creator of the World Wide Web, has confessed that the // in a web address were actually “unnecessary”.”