Phishing Trend Exploiting YouTube URLs Through O365 Expiry Themes

• URI Obfuscation: Using the @ symbol in the URL, the attackers direct users to a malicious domain (e.g., globaltouchmassage[.]net) while making the URL appear trustworthy.

3) Notable Indicators

• Embedded URLs use excessive %20 (HTML space encoding).

• URLs include an @ symbol that segments the URL into two parts:

• Everything before the @ is treated as irrelevant (or user info).
• Everything after the @ is the actual domain.

• The domains used include redirectors and standard phishing templates utilized by Tycoon 2FA, Mamba 2FA, and EvilProxy kits.

How These Links Work

When a URL includes an @ symbol, browsers interpret everything before it as user credentials and redirect to the domain after the @. For example:

• URL: youtube.com%20%20%20%20@testing123.net

• Destination Domain: testing123.net.

Why This Matters

This tactic abuses legitimate services like YouTube in the URL structure to lend credibility to the link. Users are more likely to trust the link without inspecting it closely.

IOC (Indicators of Compromise)

• Example Phishing URL:

https://youtube.com%20%20%20%20%20%20%20%20%20%20%20@globaltouchmassage[.]net/ssy/cmd

• Common Subject Lines:

"ACTION Required - [Client] Server SecurityID:[random string]"

Recommendations

1) Educate Users

• Always inspect URLs for unusual structures or unexpected symbols (%20, @).

• Be wary of emails urging immediate action regarding passwords or accounts.

2) Technical Mitigations

• Deploy URL filtering and blocklists to catch domains like globaltouchmassage.net.

• Use sandbox tools to analyze suspicious links safely.

3) Report and Monitor

• If you suspect phishing, report it to your IT/security team immediately.

Final Note

As phishing tactics evolve, attackers continue to exploit trust in legitimate services. Stay vigilant and always verify links before clicking. Keep your workforce informed and your systems protected.