A growing smishing campaign is exploiting a little-known quirk in web addresses: the “@” symbol.
Attackers are exploiting the tactic with high-profile names like FedEx, UPS, and the IRS, banking on brand recognition to disarm users. Unit 42 researchers warn that the campaign is expanding rapidly, with thousands of fraudulent URLs already observed in the wild.
Exploiting the ‘@’ symbol in URLs
These attacks bypass traditional email-based phishing defenses by targeting mobile SMS messaging and rely on brand trust to succeed. Victims are led to credential harvesting sites or malware payloads designed for both mobile and desktop platforms.
The core technique involves embedding a trusted brand name before the “@” symbol in a URL. While users might assume the URL points to a legitimate domain, modern browsers interpret the portion after the “@” as the true destination.
For example, a link such as www.fedex[.]com@servicece[.]co might look credible at a glance, but it actually routes to the malicious servicece[.]co domain.
This pattern was originally part of HTTP Basic Authentication, allowing credentials to be passed in URLs. However, due to security risks — including exposure in browser history and network traffic — the syntax has been deprecated.
Modern browsers now strip out the username and password fields, but the misleading formatting remains valid and exploitable under RFC-1738 standards.
Unit 42 observed over 2,170 URLs in this campaign, leveraging the “@” tactic. Notably, more than 30% of the malicious domains demonstrated lexical similarity, frequently starting with prefixes like “serve,” “service,” or “serving” to appear more legitimate.
Cloaking, group text deception, and domain aging
The attackers go beyond simple URL tricks. They employ cloaking techniques that show error pages or redirect to benign sites when accessed by crawlers, but serve active phishing pages on mobile devices.
They also send smishing messages through group texts disguised as six-digit short codes, commonly used by businesses for one-time passwords (OTPs) and alerts. This detail increases the appearance of legitimacy.
Adding further sophistication, many of the malicious domains are “strategically aged.” Rather than registering and deploying them immediately, attackers pre-register domains months in advance to build credibility. Some domains used in this campaign were aged up to 12 months, while others were registered and activated as recently as September 2025.
Building layered defenses
To defend against these smishing campaigns, organizations should focus on a layered security strategy that combines user education, technical safeguards, and incident response preparedness.
- User awareness: Train employees on smishing tactics (deceptive URLs, spoofed short codes) and provide clear reporting channels.
- Mobile protection: Use EDR, mobile threat defense, and enforce security baselines with MDM.
- Filtering: Apply URL/DNS filtering to detect “@” patterns and brand lookalikes; add carrier or SMS gateway blocks.
- Monitoring: Ingest IOCs into SIEM/SOAR and review DNS, proxy, and SMS logs for suspicious activity.
- Access controls: Require MFA, enforce least privilege, and segment networks to limit compromise.
- Incident response: Maintain playbooks for smishing, conduct simulations, and ensure rapid escalation procedures are in place.
The evolution of smishing
This campaign underscores the evolution of social engineering attacks.
The addition of cloaking, group text impersonation, and domain aging makes these attacks harder to detect and more convincing to victims. Threat actors are also leveraging AI to personalize attacks at scale.
Smishing is not a new phenomenon, but its sophistication continues to grow. By exploiting trusted brands, attackers are exploiting not just technical weaknesses but also human psychology. This blending of technical evasion with social engineering highlights why defenders must consider both people and processes in their security strategies.
As attackers refine these methods, organizations must stay vigilant. Even small lapses—such as an untrained employee clicking a link in a fraudulent delivery notification—can escalate into credential theft or ransomware infection across enterprise systems.
The takeaway for security teams is clear: defenses designed just for email phishing are no longer sufficient.
As mobile-first attacks gain more traction, a layered defense that includes zero trust, technical controls, and continuous awareness training are essential.