Menlo Security recognized as leading enterprise browser company in GigaOm’s ZTNA report.
Icon Rounded Closed - BRIX Templates

Camouflaged URLs in template injection attacks


Executive Summary

The Menlo Labs research team recently published a blog on how weaponized template injection documents work and how to prevent them. Unless they have specific traces like malicious URLs or exploit markers, they often go undetected by security scanners.

As we continued our research into template injection attacks, we stumbled across several weaponized documents with an interesting camouflage technique hiding the URL to the naked eye. The documents contained a decimal IP address or used an obscure URL format for fetching the remotely hosted template.

As we mentioned in our previous post, the attacks are also noteworthy for the following reasons:

  • They use camouflaged template injection URLs to bypass file-based content inspection engines that look for URL-based patterns in a technique the Menlo Labs team has termed Legacy URL Reputation Evasion (LURE), an example of a Highly Evasive Adaptive Threat (HEAT) technique.
  • Adversaries can inject a malicious URL in the document to render a template hosted on a local or remote machine. This weaponized document, when opened, attempts to download and execute the malicious template. This attack kill chain of loading the payload is also classified as a Living off the Land (LotL) attack — an attack using legitimate software to perform malicious actions.

This blog details our findings on the camouflaged template injection attacks.

Different IP Address Notations

Usually, an IP address is represented with a dotted-decimal notation in the format XXX.XXX.XXX.XXX. Alternatively, IP addresses can also be represented using different notations.

Let’s show the different notations for IP addresses using an example of a IP address, (at the time of this writing):

  • Octal notation: IP address represented in the octal number system → 0052.0372.0307.0216. This can also be represented as 05276543616. Since the leading 0 is used as an interpreter maker for an octal representation, any number of 0s can be added. For example, 0000000000005276543616 or 0052.0372.0307.000000000216.
  • Hexadecimal notation: IP address represented in the hexadecimal number system → 0x2afac78e. This can also be represented as 0x2a.0xfa.0xc7.0x8e.
  • Decimal/DWORD notation: IP address represented in the decimal number system without the dots → 721078158
  • Binary notation: IP address represented in the binary number system → 10001110.11111010.11000111.10001110
  • Encoded notation: IP address represented in a URL-encoded IP address → %34%32%2E%32%35%30%2E%31%39%39%2E%31%34%32
  • Mixed notation: IP address represented with a combination of the different notations mentioned above → 0x2a.0372.199%2E%31%34%32

In addition to the above, there is another notation, 0 optimized dotted-decimal notation, in which the 0s in an IP address are either suppressed or compressed.

For this example, let’s take the default gateway IP address used by routers: The list below shows representations of 0 in the IP address that are optimized:

  • 192.168.1
  • 192.168.000000000000.0000000001
  • 192.168.00000001

By default, most of these notations (except for the binary notation) are accepted by browsers. Using such notations can evade file-based content inspection engines, which look for a valid URL format.

Sounds complicated? Interesting? Wait!!!

It’s not over yet! Let’s dig into another part of this Pandora’s box.

Misleading URI-Based Semantic Attacks

While the IP address notations already pose a challenge to file-based content inspection engines, the use of obscure URLs makes inspection even more challenging. This method involves the use of the “@” userinfo subcomponent in the Uniform Resource Identifier (URI) schemes. Using this character, an obscure URL format or misleading URI can be created in the URI generic syntax format, leading to URI-based semantic attacks. For a better understanding, let’s take the same example of the IP address. An example of a misleading URI can be This URL, when visited via the browser address bar, will resolve to

Here, “@” functions as a delimiter ignoring “test” and resolving to Additionally, it must also use the “://” authority component for creating a misleading URI.

The same functionality works for any number of “@” iterations:

  • https://test!@test!@test!@test!
  • https://@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
  • https://@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@0x8efac78e

This can also be performed with octal, hexadecimal, and decimal notations, such as https://test@0x8efac78e and https://@721078158. This turned out to be an interesting experiment for us. We identified that, except for the standard dotted-decimal notation, the octal, hexadecimal, and decimal/DWORD notations were treated as invalid links by most applications.

In addition, an attacker can also mask the malicious URL behind a benign URL. Let’s take a look at the following URLs as examples:

  • https://192.168.1@0x2afac78e

In all these examples, the URLs resolve to — 192.168.1,, and are not the actual URLs.

Camouflaged URLs

The use of browser-supported nonstandard IP notations and a misleading URI acts as camouflage.

An attacker can use the following methods to bypass content inspection engines that check for URLs:

  • Create a link with octal, hexadecimal, or decimal notations, thereby making an application treat the link as an invalid link.
  • Create a link with a misleading URI (semantic attack) by using octal, hexadecimal, or decimal notations.
  • Create a link with a misleading URI (semantic attack) by masking a malicious URL with a benign URL.

These attacks are not new and have been used for more than a decade. In September 2020, Trustwave published details citing examples of such URL evasions. They explained the use of an encoded hexadecimal IP address format and a URL semantic attack that masked a shortened URL.

Camouflaged URLs in Template Injection Attacks

During our research, we identified camouflaged URLs used in weaponized template injection documents.

The templates were hosted in camouflaged URLs that were using the following:

  • Decimal notation
  • Misleading URI (semantic attack) with decimal notation

We will share examples of these notations identified in our analysis.

Decimal notation

The document we analyzed that used decimal notation URLs also contained several “.” and “-” characters as camouflage (see Figure 1).

Camouflaged decimal notation
Figure 1: Camouflaged decimal notation

The details of the file are as follows:

  • File name: Axis Bank - 67 Account Pending List - 22.09.2022.docx
  • Hash- b9cb173c049ab9d289dfde58cfd96cf4)
  • Path → word_rels\webSettings.xml.rels.
  • Template URL - http[:]//1806450061/…----------------------……………..-----------------------……-------/……….650[.]doc

The decimal/DWORD 1806450061 in the URL is the equivalent of in a dotted IP address format.

Misleading URI (Semantic Attack) with Decimal Notation

Another similar-looking document used the same decimal notation URL with several “.” and “-” characters. In addition, the attacker crafted a misleading URI semantic attack (see Figure 2).

Camouflaged misleading URI with decimal notation
Figure 2: Camouflaged misleading URI with decimal notation

The details of the file are as follows:

  • File name: TT details.docx
  • Hash- e732f54857ee57bebe19fb6f3954114c
  • Path → word_rels\webSettings.xml.rels.
  • Template URL - http://users@1806450061/..---------..------------------------_------------/………………………….89.doc

As explained earlier, “@” functions as a delimiter ignoring “users” and taking “1806450061” into consideration. This resolves to the dotted IP address format

Revealing the Camouflage

Now the question is: Does this camouflage reveal automatically, without user intervention? The answer is Yes.

In both cases mentioned previously, upon opening the weaponized document, the camouflaged URL reveals itself and fetches the template from An example of the packet capture during the execution of one such weaponized document is shown below (see Figure 3).

Screenshot of packet capture
Figure 3: Packet capture of the converted dotted-decimal notation

The weaponized documents downloaded a template containing an RTF exploit, CVE-2017-11882. This exploit contains a stack buffer overflow vulnerability in Equation Editor leading to remote code execution. Though this vulnerability has been patched, it still continues to be actively used.

During our analysis using the RTF exploit templates, the weaponized documents dropped malware like FormBook, Snake Keylogger, and SmokeLoader.

Menlo Isolation to the Rescue!

As explained in our previous article, customers using Menlo’s Cloud Security Platform powered by an Isolation Core™ are protected against template injection attacks by design. The Menlo Cloud Security Platform opens all documents downloaded from the Internet in the Isolation Core™, away from the user’s endpoint.

Menlo’s Safedoc feature strips out all the active content, thereby making sure that the malicious aspect is removed. The document is converted to a safe version. Policies can also be configured to ensure that all documents from the Internet are downloaded as a safe version.


This blog provided details about different IP address notations and semantic attacks that Menlo Labs has seen. Threat actors have taken advantage of this strategy in crafting browser-supported nonstandard notations. We showcased examples of weaponized template injection documents using this technique and also using “.” and “-” characters as a camouflage to the naked eye. This attack bypasses some file-based content inspection engines, which treat them as invalid links.

While we observed only a few camouflaged iterations in the template injection attacks, we expect to see more from this Pandora’s box.





Menlo Security

menlo security logo
linkedin logotwitter/x logofacebook logoSocial share icon via eMail