{
	"id": "7201c432-71a8-4391-8de9-e1c6ff9b2754",
	"created_at": "2026-04-06T00:22:37.648706Z",
	"updated_at": "2026-04-10T13:12:55.9905Z",
	"deleted_at": null,
	"sha1_hash": "a3af90e2fd95547c759babfd671bff8a4b4d4366",
	"title": "Don't @ Me: URL Obfuscation Through Schema Abuse | Mandiant",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 530077,
	"plain_text": "Don't @ Me: URL Obfuscation Through Schema Abuse | Mandiant\r\nBy Mandiant\r\nPublished: 2023-05-22 · Archived: 2026-04-05 15:39:19 UTC\r\nWritten by: Nick Simonian\r\nA technique is being used in the distribution of multiple families of malware that obfuscates the end destination of a URL by\r\nabusing the URL schema. Mandiant tracks this adversary methodology as \"URL Schema Obfuscation”. The technique could\r\nincrease the likelihood of a successful phishing attack, and could cause domain extraction errors in logging or security\r\ntooling. If a network defense tool is relying on knowing the server a URL is pointing to (e.g. checking if a domain is on a\r\nthreat intel feed), it could potentially bypass it and cause gaps in visibility and coverage. Common URL parsing logic will\r\nfail when encountering this technique, resulting in the loss of visibility into threat campaigns and actor infrastructure.\r\nNetwork defenders should check if URLs abusing the schema to obfuscate the destination cause any failures in logging,\r\nvisibility, or security tooling.\r\nInitial Lead\r\nA tweet by @ankit_anubhav was observed describing a technique being used by SMOKELOADER to obfuscate URL\r\ndestinations. Mandiant’s investigation into this technique discovered multiple other formats of the obfuscation being used to\r\ndistribute a multitude of malware variants.\r\nIn their tweet, they use the URL \" hxxp://google.com@1157586937 ” as an example that ends up opening a Rick Roll video.\r\nWhile the destination is upsetting, this tweet shows two obfuscation techniques being used simultaneously:\r\nThe usage of an \"@” sign to obscure the destination server\r\nThe usage of alternative hostname formats to obscure the destination IP address\r\nThe \"@” Sign\r\nTo start, it helps to understand how a URL is structured and parsed by browsers when clicked.\r\nRFC1738 documents the structure for URLs. In section 3.1 (Common Internet Scheme Syntax), it lays out the basic\r\nstructure for all URLs:\r\n\u003cscheme\u003e//\u003cuser\u003e:\u003cpassword\u003e@\u003chost\u003e:\u003cport\u003e/\u003curl-path\u003e\r\nIn section 3.3 (HTTP), it states that the format for an HTTP URL follows the structure of:\r\nhttp://\u003chost\u003e:\u003cport\u003e/\u003cpath\u003e?\u003csearchpart\u003e\r\nThe RFC specifically states that \"No user name or password is allowed.” The user name is defined as the text prior to the\r\n\"@” sign. When a browser interprets a URL with the username section populated (anything before the \"@” sign), it discards\r\nit, and sends the request to the server following the \"@” sign.\r\nComparing it with the URL in the tweet shows that the \"google.com” section of the URL is being treated as a username.\r\nThis can be modified as needed to better trick victims to click a link in spear phishing campaigns. For example, it could be\r\nreplaced with the target email address domain and become much more effective.\r\nhttps://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse\r\nPage 1 of 7\n\nAlternative Hostname Formats\r\nIn the example, the digits \"1157586937” are being treated as the host. However, it’s very uncommon for a server IP address\r\nto be depicted as an integer. This is the second level of obfuscation.\r\nA dotted-quad IP address is a common representation of an IPv4 address, consisting of four decimal numbers separated by\r\ndots, with each decimal number representing 8 bits of the IP address. For example, the IP address 1.2.3.4 can be represented\r\nas the binary number 00000001.00000010.00000011.00000100.\r\nThis binary representation of an IP address can then be converted to a single integer by treating it as a single, large binary\r\nnumber and converting it to decimal. For example, the binary number 00000001.00000010.00000011.00000100 becomes\r\nthe decimal number 16909060.\r\nFigure 1: Showing how the IP 1.2.3.4 translates to a decimal representation\r\nBrowsers do this conversion automatically. Not only single integer representations can be used:\r\nHexadecimal can also be put into a dotted-quad format:\r\nhxxp://google.com@0xC0.0xA8.0x0.0x1\r\nOctal is also possible:\r\nhxxp://google.com@0300.0250.0000.0001\r\nThey can also be mixed to create a truly confusing destination:\r\nhxxp://google.com@0xc0.168.0x0.1\r\nDomains can also be used, which can be made to look like legitimate destinations:\r\nhxxp://legit.banking.site.com@loginportal.onlinebanking.orly/loginPortal.php\r\nThere are publicly-available tools that can do this level of obfuscation. IPFuscator by Vincent Yiu, for example, generates\r\nmultiple variations including mixed-type and padded values.\r\nhttps://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse\r\nPage 2 of 7\n\nIn The Wild\r\nVirusTotal shows usage dating back to at least February 2022. The continuing use of URL Schema Obfuscation is likely\r\nbecause it’s working for the attackers, either by decreasing detections by security tooling, or increasing the likelihood a\r\nvictim clicks the link.\r\nOftentimes, the URL is used to download additional malware for execution. These have been seen exploiting multiple\r\nvulnerabilities to gain code execution on the victim. Most prevalently, CVE-2017-0199 usage has been detected in multiple\r\ndownloaded documents, along with CVE-2017-11882. A wide range of commodity malware families have been seen using\r\nthis technique to gain execution, including LOKIBOT, MATIEX, FORMBOOK, and AGENTTESLA.\r\nExample of Recent Abuse\r\nIn February 2023, a component file of a Microsoft Word document was discovered using a YARA rule (see Appendix 1) in a\r\nVirusTotal Retrohunt. The attack chain had multiple stages, utilizing a template injection attack and an exploit, and dropping\r\nAGENTTESLA, which exfiltrated data via an encrypted Telegram channel.\r\nFilename PO.docx\r\nMD5 291f6887bdaf248c7f0cdc9e2c9515cb\r\nSHA-256 7dcbd34116b44f88962e2de72a92849304804fa5141513a35a023f5ab510b3bf\r\nPO.docx was first seen on VirusTotal on February 6, 2023. It contains a template injection technique that runs when the\r\ndocument is opened, requesting the next stage of malware. If the document is decompressed, the next stage of the infection\r\nchain can be seen inside the webSettings.xml.rels file:\r\nFigure 2: webSettings.xml.rels file\r\nThis downloads and opens the obfuscated URL:\r\nhxxp://dgdf000000ghfjfgh000000fghfghg0000000fhfghfg000000sdgfggdf00000gdfge00000rtdfgdf00000gdfg@647601465/56.do\r\nThis URL, when deobfuscated, is hxxp://38.153.157.57/56.doc . The template injection results in the following network\r\nrequest being made from Microsoft Word. Note the obfuscation isn’t present in network traffic; the username field has been\r\nstripped out, and the integer representation of the IP address has been changed to the dotted-quad format.\r\nhttps://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse\r\nPage 3 of 7\n\nFilename 56.doc\r\nMD5 fd3ef9f75b0be31f0a482f60a387cb76\r\nSHA-256 1b93a3abb08c33bea46795890d311a201daa56080c4c14eda338eea19a4b4625\r\nThe downloaded document, 56.doc, was first seen on VirusTotal on February 6, 2023, the same day as PO.docx. 56.doc is an\r\nRTF file that exploits CVE-2017-11882 to download and execute\r\nhxxp://38.153.157.57/156/vbc.exe . Unlike PO.docx, this doesn’t use the URL obfuscation technique.\r\nFilename vbc.exe\r\nMD5 cea776885d515fe1e88bccb71c016af3\r\nSHA256 d8be588eb6eedc59b033c43150cf324fb8e56050e359b47da8017f4c47d264da\r\nThis is internally named \"NNbHhH.exe\", and is AGENTTESLA, sending stolen data via Telegram with the bot ID and token\r\n\" 6010275350:AAH4W3CDRhQk0wgfyhQ_jITTy3QYmrxdDbw ”\r\nDetecting\r\nWhen writing a complex Regular Expression (Regex), it’s quite common to see if there’s one publicly available that can be\r\nreused, instead of starting from scratch and missing potential edge-cases that may not be known. Interestingly, the top voted\r\nStackOverflow post for a URL RegEx will fail to find URLs using these techniques. The RegEx shown on the\r\nStackOverflow answer is:\r\nhttps?:\\/\\/(www\\.)?{1,256}\\.[a-zA-Z0-9()]{1,6}\\b(*)\r\nUsing that Regex in Regex101 shows it misses the obfuscated URL:\r\nIf a security, logging, or threat intelligence tool is built using this regular expression, it will be unable to successfully\r\nidentify or parse out these obfuscated URLs.\r\nFor those on defense, network traffic analysis won’t show this technique in use. When a browser receives a request to go to a\r\nURL using this syntax, it automatically translates it to a valid destination before issuing the request. Therefore, by analyzing\r\nnetwork traffic, you wouldn’t see an obfuscated URL.\r\nHowever, using file-based analysis like YARA or AV/EDR can reveal tools using URL schema obfuscation, as can process\r\nexecution logs. If a program executes something like Powershell’s Invoke-WebRequest module pointing to an obfuscated\r\nURL, the obfuscated URL will be shown in the logs. As for detecting it in files, YARA rules are included that can find it in\r\nOffice documents, RTFs, and PDFs.\r\nhttps://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse\r\nPage 4 of 7\n\nConclusion\r\nURL Schema Obfuscation is currently being abused to deliver malware in a variety of ways, from phishing links to template\r\ninjection. Defenders need to ensure security tooling and logging systems are able to detect, identify, and parse the correct\r\nindicators to ensure defenses aren’t bypassed by using a format that isn’t RFC-compliant. In lieu of other indicators,\r\ndetection of URL Schema Obfuscation using the provided YARA rules can be a malicious indicator in itself, helping to\r\ndetect and prevent intrusions.\r\nAcknowledgements\r\nSpecial thanks to Connor McLaughlin and Jared Wilson for their assistance every step of the way.\r\nAppendix 1: YARA Rules\r\nrule M_Hunting_ObfuscatedURL_DottedQuad\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Finds URL Schema Obfuscation of the format http://loremipsum@1.2.3.4\"\r\n strings:\r\n $doc = {d0 cf 11 e0}\r\n $pdf = {25 50 44 46 2D}\r\n $docx = {50 4b 03 04}\r\n $rtf = {7b 5c 72 74}\r\n $url = /https?:\\/\\/[\\w\\d\\-\\_]{1,255}\\@\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}(\\:\\d{1,5})?/ nocase\r\n condition:\r\n ($doc at 0 or $docx at 0 or $pdf at 0 or $rtf at 0) and filesize \u003c 3MB and $url\r\n}\r\nrule M_Hunting_ObfuscatedURL_Integer\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Finds URL Schema Obfuscation of the format http://loremipsum@16909060\"\r\n strings:\r\n $doc = {d0 cf 11 e0}\r\n $pdf = {25 50 44 46 2D}\r\n $docx = {50 4b 03 04}\r\n $rtf = {7b 5c 72 74}\r\n $url = /https?:\\/\\/[\\w\\d\\-\\_]{1,255}\\@\\d{8,10}(\\:\\d{1,5})?/ nocase\r\n condition:\r\n ($doc at 0 or $docx at 0 or $pdf at 0 or $rtf at 0) and filesize \u003c 3MB and $url\r\n}\r\nrule M_Hunting_ObfuscatedURL_DottedQuadHex\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Finds URL Schema Obfuscation of the format http://loremipsum@0x01.0x02.0x03.0x04\"\r\nhttps://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse\r\nPage 5 of 7\n\nstrings:\r\n $doc = {d0 cf 11 e0}\r\n $pdf = {25 50 44 46 2D}\r\n $docx = {50 4b 03 04}\r\n $rtf = {7b 5c 72 74}\r\n $url = /https?:\\/\\/[\\w\\d\\-\\_]{1,255}\\@0x[a-fA-F0-9]{1,2}\\.0x[a-fA-F0-9]{1,2}\\.0x[a-fA-F0-9]{1,2}\\.0x[a-fA-F0-9]{1,2}(\r\n condition:\r\n ($doc at 0 or $docx at 0 or $pdf at 0 or $rtf at 0) and filesize \u003c 3MB and $url\r\n}\r\nrule M_Hunting_ObfuscatedURL_DottedQuadMix\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Finds URL Schema Obfuscation of the format http://loremipsum@1.2.0x03.0x04\"\r\n strings:\r\n $doc = {d0 cf 11 e0}\r\n $pdf = {25 50 44 46 2D}\r\n $docx = {50 4b 03 04}\r\n $rtf = {7b 5c 72 74}\r\n $url = /https?:\\/\\/[\\w\\d\\-\\_]{1,255}\\@(0x[a-fA-F0-9]{1,2}|\\d{1,3})\\.(0x[a-fA-F0-9]{1,2}|\\d{1,3})\\.(0x[a-fA-F0-9]{1,2}\r\n condition:\r\n ($doc at 0 or $docx at 0 or $pdf at 0 or $rtf at 0) and filesize \u003c 3MB and $url\r\n}\r\nrule M_Hunting_ObfuscatedURL_Domain\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Finds URL Schema Obfuscation of the format http://loremipsum@mandiant.com\"\r\n strings:\r\n $doc = {d0 cf 11 e0}\r\n $pdf = {25 50 44 46 2D}\r\n $docx = {50 4b 03 04}\r\n $rtf = {7b 5c 72 74}\r\n $url = /https?:\\/\\/[\\w\\d\\-\\_]{1,255}\\@([\\w\\d\\-]{1,100}\\.){1,10}[\\w\\d\\-]{1,20}(\\:\\d{1,5})?/ nocase\r\n $exclusions = /https?:\\/\\/[\\w\\d\\-\\_]{1,255}\\@(gmail\\.com|hotmail\\.com|yahoo\\.com|outlook\\.com|hotmail\\.co\\.uk|sentry\\.i\r\n condition:\r\n ($doc at 0 or $docx at 0 or $pdf at 0 or $rtf at 0) and filesize \u003c 3MB and $url and not $exclusions\r\n}\r\nAppendix 2: Malware Families By URL\r\nAGENTTESLA\r\nhxxp://OASOSIDFOSWEROEROOWRWERWEREW\r\nWW0W83W338W83WOWRWWRWRWRW9W9R9W9R\r\n9WR9W9RW9R9W9R9W9R0WR7RR7W7RW7RRW7R\r\n66WSD6DSD6S6D6DSD66D6S@39209\r\n5676/58..........................58.......................doc\r\nhttps://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse\r\nPage 6 of 7\n\nLOKIBOT\r\nhxxp://xzcbbsjjfhjsdjzazazasvxcvnbbzaszxccvx@3\r\n92133367/xzswqqazzza_sxcvbnzazazzzzzzza_zxas\r\ndazzzasdzczxc/xzzzcv_qazzxcs.doc\r\nFORMBOOK\r\nhxxp://ZZZJOOIOIOSDP99090SDXDdad9SDED990\r\n00DF00DF0SDF00DF0XCCXC0V00S0FDS0F0DF00S\r\nSZZZZZZZZ0X0C0XCZZXC0X@392117348/22u.22u.\r\n22u.doc\r\nMATIEX\r\nhxxp://WEEEERRRRRRRRRRRPPPOOOOSSSSSSSO\r\nOOOOPPWEEEEEEEOOOOOOOCCVVVVVVVVOVV\r\nVVVVVVVVVVVVVVOOOOOO@104.168.32.152/O\r\n__O.DOC\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse\r\nhttps://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse"
	],
	"report_names": [
		"url-obfuscation-schema-abuse"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434957,
	"ts_updated_at": 1775826775,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a3af90e2fd95547c759babfd671bff8a4b4d4366.pdf",
		"text": "https://archive.orkl.eu/a3af90e2fd95547c759babfd671bff8a4b4d4366.txt",
		"img": "https://archive.orkl.eu/a3af90e2fd95547c759babfd671bff8a4b4d4366.jpg"
	}
}