Watch out for the @ gap, security experts warn.SOPA Images/LightRocket via Getty ImagesAlthough, as a new FBI security advisory demonstrates only too sagely, phishing is not the only hacking fruit, that doesnt mean that the risk of social engineering is to be ignored. Far from it, in fact. A flood of security warnings, including the FrigidStealer campaigns targeting macOS users, sophisticated AI-driven attacks aimed at Gmail users are proof of that. Now, security researchers at Check Point have confirmed a new phishing campaign that exploits something known as the @ gap to drive victims toward Microsoft 365 credentials theft.What Microsoft 365 Users Need To Know About The @ Gap AttacksObfuscation, the art of hiding something, is key to the success of most phishing campaigns. Most often, what the attacker wants to hide is the actual website that they are driving their victims to, and that means some sort of messing around with the URL link address itself. There are many ways of accompanying this, from the use of cleverly located mouseover text link-hovering attacks, through to sophisticated in-browser double-click hacks. What you might not have heard of, however, is the @ gap exploitation technique that has been observed by Check Point security researchers.In what Check Points Harmony and Email Collaboration team called sophisticated URL manipulation techniques, the observed campaign has already sent more than 200,000 phishing emails targeting a wide range of organizations and individuals. Some 75% of these are aimed at those within the U.S., with the remainder hitting EMEA and Canadian users.The report revealed that the attackers are exploiting the @ gap, the userinfo portion of web addresses and specifically the segment between http:// and the @ symbol within a URL. Since most websites disregard this field, the researchers warned, attackers can insert misleading information before the @ symbol to disguise malicious links.Having been routed through what appear to be legitimate redirects, the victim ends up at what has been described as a meticulously crafted Microsoft 365 phishing page, complete with CAPTCHA implementation. The latter is something I have warned of previously as being exploited in such campaigns to add a degree of false security to the proceedings.Mitigating The Latest Microsoft 365 Phishing AttacksCheck Point recommended the following three approaches to mitigate these Microsoft 365 @ gap attacks:Consider updating redirection rules. In the event that a site or application allows for redirection, ensure that your enterprise maintains strict rules around where redirects can lead to.Adopt current best practices. Regularly update and patch systems. Keep all software, including email clients and web browsers, up-to-date with the latest security patches.Implement advanced email security. Utilize comprehensive and advanced email security solutions.One thing is for sure: if you are a Microsoft 365 user, then you need to be aware that such URL obfuscation occurs and be extra careful as to where that link is really taking you.If in doubt, in fact, at all times, dont enter login information at a site unless you have typed in the address yourself or use a known and trusted bookmark.