diff --git a/packages/snaps-utils/src/ui.test.tsx b/packages/snaps-utils/src/ui.test.tsx
index 04ecab327c..69746ff5a1 100644
--- a/packages/snaps-utils/src/ui.test.tsx
+++ b/packages/snaps-utils/src/ui.test.tsx
@@ -750,6 +750,19 @@ describe('validateLink', () => {
     expect(fn).toHaveBeenCalledWith('https://test.metamask-phishing.io');
   });
 
+  it('throws an error for an email containing more than one "@" symbol', () => {
+    const fn = jest.fn().mockReturnValue(false);
+    const getSnap = jest.fn();
+
+    expect(() =>
+      validateLink('mailto:foo@bar.com@baz.com', fn, getSnap),
+    ).toThrow(
+      'Invalid URL: Unable to parse email address "foo@bar.com@baz.com".',
+    );
+
+    expect(fn).not.toHaveBeenCalled();
+  });
+
   it('throws an error for a phishing email when using parameters', () => {
     const fn = jest.fn().mockImplementation((email) => {
       if (email === 'https://test.metamask-phishing.io') {
diff --git a/packages/snaps-utils/src/ui.tsx b/packages/snaps-utils/src/ui.tsx
index ea910767f5..b2dd0f53dd 100644
--- a/packages/snaps-utils/src/ui.tsx
+++ b/packages/snaps-utils/src/ui.tsx
@@ -366,7 +366,10 @@ export function validateLink(
     } else if (url.protocol === 'mailto:') {
       const emails = url.pathname.split(',');
       for (const email of emails) {
-        const hostname = email.split('@')[1];
+        const parts = email.split('@');
+        assert(parts.length === 2, `Unable to parse email address "${email}".`);
+
+        const hostname = parts[1];
         assert(!hostname.includes(':'));
         const href = `https://${hostname}`;
         assert(!isOnPhishingList(href), 'The specified URL is not allowed.');