No URL Detection in Emails with Extensive %2580 Encoding

Yep, I call it the padded URL tactic. The padding is typically visually displayed as spaces so the recipient may just see "youtube.com ", a domain some marketing types love to put in signature blocks. Pattern matching has horrendous problems (test non-intrusively, kiddies) and I gave up when it seemed that any Youtube TLD was fair game. I am pretty sure I have seen the tactic used with other domains too. Stepping back from MDO, putting a block or warning on your web proxy won't do any good because it is the payload domain at the far end of the padding string that is the real threat. Just for once, it isn't the Google infrastructure being weaponised except tangentially for the reputation, and the real problem as the OP said is down to MDO not being able to display the value in Threat Explorer or, it seems, offer any detection except by peripheral factors.

I looked at a recent sample and the padding ran to over 4k characters prior to the payload domain. A quick Copilot check suggests that RFC-1035 sets a maximum host name length of 255 characters, so someone isn't checking bounds.