Spammers have started using a tricky URL obfuscation technique that sidesteps detection and ultimately infects victims with the LokiBot trojan. The tactic was uncovered in recent spear-phishing emails with PowerPoint attachments, which contain a malicious macro. When the PowerPoint file is opened, the document attempts to access a URL via a Windows binary (mshta.exe), and this leads to various malware being installed onto the system. The attackers used a unique semantic attack on the campaign s URLs to trick the email recipient and avoid being flagged by email and AV scanners.
Source: https://threatpost.com/lokibot-url-obfuscation/159729/