RFC 1738 https://www.rfc-editor.org/rfc/rfc1738 written in 1994 specifically states that No user name or password is allowed.

The user name is defined as the text prior to the @ sign.

When a browser interprets a URL with the username section populated (anything before the @ sign) is discarded, and request will be send to the server following the @ sign.

In other words; threat actors can obfuscation a phishing link by appending the bad link to a legit domain name.

In this example: https://www.ibm.com@microsoft.com; uninformed user will think he/she is going to IBM, but the web browser will resolved to Microsoft instead.

Our suggestion to fellow Cyber Defenders is to have a rule in your SIEM to look for Web.dest=”*@*”. This could be noisy so a lot of fine tuning maybe required.