RFC 1738 Uniform Resource Locators (URL)
@ducklah
RFC 1738 https://www.rfc-editor.org/rfc/rfc1738 written in 1994 specifically states that No user name or password is allowed.
The user name is defined as the text prior to the @ sign.
When a browser interprets a URL with the username section populated (anything before the @ sign) is discarded, and request will be send to the server following the @ sign.
In other words; threat actors can obfuscation a phishing link by appending the bad link to a legit domain name.
In this example: https://www.ibm.com@microsoft.com; uninformed user will think he/she is going to IBM, but the web browser will resolved to Microsoft instead.
Our suggestion to fellow Cyber Defenders is to have a rule in your SIEM to look for Web.dest=â*@*â. This could be noisy so a lot of fine tuning maybe required.
Last updated