The slashes in the path part of the first url look different than the slashes in the scheme and everywhere in the second url. So my guess is that the first url is the malicious one.
I would have missed it if I hadn't been looking for a difference though. Thanks for the info.
@bjb @suprjami ooooh I hadn't notice that detail! I was going for the @ in the address