Digital criminals used percentage-based URL encoding to help their phishing campaign evade detection by secure email gateways.

In mid-September, the Cofense Phishing Defense Center came across a phishing email that originated from a compromised email account for a recognizable American brand. The message informed recipients that they had a new invoice awaiting payment. Under that pretense, the email instructed recipients to click on an embedded “View Invoice” hyperlink button.

At first glance, the top-level domain for the hyperlink button appears to be google.lv, the home page for Google Latvia. It therefore doesn’t raise red flags with many perimeter security tools. But a closer look reveals that the hyperlink employs “hxxps://google.lv/url?q=,” which tells Google to query a specific URL or string. In this case, the string employs URL encoding by which it replaces ASCII characters with a “%” symbol followed by two hexadecimal digits.