Newsletter Issue #155: Email Security Analysis Part ll

As Phishing continues to be one of the top methods for attacker initial access, as seen in Red Canary’s 2025 Threat Detection Report.

I wrote this post to go into what to look for as a user and how to spot these before it’s too late.

This is a follow-up to a previous post in Email Security, where we’re going to dive into Phishing analysis and how to spot these as a user.

We’ll cover common tactics used that have been successful. Specifically around link and domain analysis.

TTPs

One tactic that an attacker uses is including a victim’s email address within a URL parameter’s value, causing the landing page to appear more legitimate.

When the user navigates to the credential capture page, their email appears to be filled in, making the login page look like the real thing.

Example Landing Page

They do this either by deep linking or using header refresh techniques, making for a custom URL scheme.

An unsuspecting user could find themselves following through entering their credentials. Always be skeptical of this if you know you’re not logged in, or if the URL is not quite right.

On this note, another tactic is Typo-squatting.

Let’s go over the most common forms of Typo-squatting

Traditional Typo-squatting

When attackers register a domain name similar to a legitimate domain. This impersonates the brand and from there, the attacker is looking to drive traffic.

This can be done either by adding a letter or removing one.

www.paypal[.]com 
vs 
www.paypall[.]com

A subtle adding of a letter can be missed by users.

TLD-Swap

TLD-swap typo-squatting is when attackers use a different top-level domain (TLD) to mimic the legitimate website. Made to look very similar, this could be deceiving.

For example

Legitimate domain: www.fedex[.]com
vs
Malicious domain: www.fedex[.]cam

Or the usage of a .co vs .ca TLD, you can see how this can get some users.

Homograph Attack

This method takes advantage of the fact there are some letters or characters for different character sets that look exactly the same.

Otherwise known as a Punycode attack, this one’s particularly nasty, as it is virtually impossible to tell the difference to the human eye.

See MITRE’s CAPEC’s definition for this.

An example of an attack like this in the wild was in 2017, impersonating Adobe to spread the Betabot backdoor.

www.adobe[.]com
vs
www.adoḅe[.]com (note the “b”) 

As you can see, this can be really tough to tell apart.

Of course, there are ways users can defend themselves against phishing. Mitigations anyone can take but that will result in impactful risk reduction.

Let’s take a look at these.

URL Shortening

Attackers also use URL shortening services to mask the true URL. This includes services like Bit.ly, TinyURL, or Short.io.

With obfuscation, this could trick users into clicking links from phishing campaigns.

Many Email Security solutions offer URL filtering or URL analysis at scale. But for individual users, this could be just enough to click a malicious link.

---

Mitigations

• Access important sites from bookmarks

• If typing it in, your browser cache should lead you to the previously visited website

• Modern browsers give “some” warnings on impersonation sites

• Don’t click a link you weren't expecting in an email or text message, even if it appears to come from a trusted company

• Opt for Phishing-resistant MFA (FIDO) whenever supported

---

What I Read This Week

• Oracle Health breach compromises patient data at US hospitals

  • This is not to be confused with earlier claims of a breach of Oracle Cloud's SSO servers, although both incidents are lacking in formal notification.
    

• Phishing-as-a-service operation uses DNS-over-HTTPS for evasion

  • This Phishing-as-a-service (PhaaS) variant attempts to identify the victim’s email provider and then emulates that page for the victim
    

• DPRK IT Workers Expanding in Scope and Scale

  • This trend continues. Still crazy to think their only true objective is getting US Dollars -> into the North Korea regime.

---

Wrapping Up

We went over how malicious URLs are a common attack vector for attackers to deliver phishing campaigns and malware, with phishing remains a top threat.

Techniques such as subdomain spoofing, lookalike typo-squat domains, URL shortening, are just some of the many ways that attackers attempt to target users.

But an empowered user can be the best defense.

See you in the next one.

---