Adversaries may use the @ symbol in URLs to obfuscate malicious domain names, masking phishing attempts and evading basic URL filtering. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential phishing campaigns and mitigate user compromise risks.
KQL Query
EmailUrlInfo
| where Url contains "@"
| extend ParsedUrl = parse_url(Url)
| where ParsedUrl.Host contains "@"
| extend SplitHost = split(ParsedUrl.Host,'@')
| extend FakeDomain = SplitHost[0], TrueDomain = SplitHost[1]
| project-reorder Url, TrueDomain, FakeDomain
id: e3331ef7-805f-4137-a8e1-1df59e822383
name: Detect DNS obfuscation using @ symbol
description: |
One of the tricks used in phishing is obfuscating the domain name in a URL by
using the @ symbol. This technique goes all the way back to the original RFC
for URLs, RFC 1738. When you specify an @ in the DNS portion of a URL it denotes
that the left side of the DNS name holds a username and password for
authentication to the server on the right side of the @ sign. Unfortunately,
an attacker can use this technique to trick a user by formatting the URL as
http://[email protected]/. When a user sees the link
may they think they're going to www.trusteddomain.com when in fact they are
going to www.realdomain.com. For a working example, try this:
http://[email protected]/.
This query finds this technique in URLs embedded within e-mails and highlights
the fake and real domains.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailUrlInfo
query: |
EmailUrlInfo
| where Url contains "@"
| extend ParsedUrl = parse_url(Url)
| where ParsedUrl.Host contains "@"
| extend SplitHost = split(ParsedUrl.Host,'@')
| extend FakeDomain = SplitHost[0], TrueDomain = SplitHost[1]
| project-reorder Url, TrueDomain, FakeDomain
| Sentinel Table | Notes |
|---|---|
EmailUrlInfo | Ensure this data connector is enabled |
Scenario: Legitimate use of @ in email within a URL
Description: A user clicks on a link containing an email address formatted as mailto:[email protected], which includes the @ symbol.
Filter/Exclusion: Add a filter to exclude URLs containing the mailto: protocol.
Example: url contains "mailto:"
Scenario: Scheduled job using @ for user substitution
Description: A system administrator uses a script or tool like cron or Task Scheduler to run a job that includes a placeholder @ symbol for dynamic user input (e.g., [email protected]).
Filter/Exclusion: Exclude DNS queries that match known internal user substitution patterns or include specific dynamic placeholders.
Example: dns.query.name contains "@user" or "user@domain"
Scenario: Admin task using @ in a command-line argument
Description: An admin runs a command-line tool like curl or wget with an argument that includes an @ symbol, such as curl http://[email protected], which is a valid syntax for specifying a file.
Filter/Exclusion: Exclude DNS queries that contain @ in the context of file paths or command-line arguments.
Example: dns.query.name contains "@file" or "@path"
Scenario: Legitimate DNS obfuscation for internal services
Description: A company uses internal services that include @ in their domain names for internal routing or legacy systems (e.g., [email protected]).
Filter/Exclusion: Exclude DNS queries that match internal domain names or are associated with known internal services.
Example: dns.query.name contains "@internal" or "internal.example.com"
**Scenario: Use of @ in a URL for a legitimate API