For a few days, many phishing emails that landed into my mailbox contain strange URLs. They are classic emails asking you to open a document, verify your pending emails, \u2026<\/p>\n
![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/isc-20260205-1.png?ssl=1\")
<\/p>\n
But the format of the URLs is broken! In a URL, parameters are extra pieces of information added after a question mark (?) to tell a website more details about a request; they are written as name=value pairs (for example \u201cemail=user@domain\u201d), and multiple parameters are separated by an ampersand (&).<\/p>\n
Here are some examples of detected URLs:<\/p>\n
\nhxxps:\/\/cooha0720[.]7407cyan[.]workers[.]dev\/?dC=handlers@isc[.]sans[.]edu&*(Df<\/span>\nhxxps:\/\/calcec7[.]61minimal[.]workers[.]dev\/?wia=handlers@isc[.]sans[.]edu&*(chgd<\/span>\nhxxps:\/\/couraol-02717[.]netlify[.]app\/?dP=handlers@isc[.]sans[.]edu&*(TemP<\/span>\nhxxps:\/\/shiny-lab-a6ef[.]tcvtxt[.]workers.dev\/?kpv=handlers@isc[.]sans[.]edu&*(lIi<\/span><\/pre>\nYou can see that the parameters are broken\u2026 \u201c&*(Df\u201d is invalid! It\u2019s not an issue for browsers that will just ignore these malformed parameters, so the malicious website will be visited.<\/p>\n
I did not see this for a while but it seems that the technique is back on stage. Threat actors implement this to break security controls. Many of them assume a \u201ckey=value” format. It may also break regex-based detectionn, URL normalization routines or IOC extraction pipelines\u2026<\/p>\n
Of course, we can track such URLs using a regex to extract the last param:<\/p>\n
![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/isc-20260205-2.png?ssl=1\")
\u200b\u200b\u200b\u200b\u200b\u200b\u200b<\/p>\n
Xavier Mertens (@xme)
\nXameco
\nSenior ISC Handler – Freelance Cyber Security Consultant
\nPGP Key<\/a><\/p>\n (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n
\t
\n
<\/BR><\/p>\n