== A piece of phish spam with some clever URL obfuscation We were the target of a phish spam run today. In many respects it was a standard modern phish; it was specifically targeted to us, with a message and claimed sender tuned to here, it was in HTML, and the inducement to click was a claim of 'go here to retrieve a voicemail message'. However, it had one interesting trick that I haven't seen before, and that was how it obfuscated its target URL. The first level of obfuscation was that the target in the was entirely encoded in HTML hex entities, which probably only stops very basic spam recognizer engines (and serves as a big warning sign for others). However, even when decoded the direct URL came out to be '/blah/?of=', with no host in evidence. At first I stared at this in puzzlement, and then the penny dropped and I looked at the full HTML. Up at the top was a little thing: >