The common vector for initial access is still phishing. Humans are the weakest link and getting access to credentials, systems, or both launches the attacker into the environment quickly. Email security is paramount to help detect advanced threats, however cybercriminals continuously adapt finding innovative ways to circumvent these protections.
In this post, we’ll explore some of the most effective techniques attackers use to bypass email security and deliver phishing content to their victims, ranked by severity and what is most common.
Business Email Compromise (BEC) and Social Engineering
This continues to be the most severe and most lucrative for an attacker. Instead of relying on malicious links or attachments, BEC attacks exploit trust by impersonating executives, vendors, or colleagues. Attackers craft convincing emails that request urgent wire transfers or sensitive information, making it difficult for security filters to detect fraud. Since this method does not rely on malware or phishing links, it is one of the hardest attacks to mitigate. What is most seen are: bank account or wire order changes, fake purchase orders, gift card scams, subscription renewals, payroll diversions and vendor compromise.
Attackers can hijack the email accounts of vendors, partners, or trusted sources and interject themselves into an ongoing conversation, making their messages appear legitimate. During these attacks, cybercriminals often establish mailbox rules to manipulate email visibility. For example, they may:
- Divert legitimate incoming emails to obscure folders like RSS Feeds or Junk to prevent the real account owner from noticing unusual activity.
- Set up auto-forwarding rules to send all correspondence to an external email address for monitoring and interception.
- Modify existing email rules to delete or reroute specific replies that could alert the victim of the compromise.
- Use slight alterations in sender names and domains to mimic real contacts and deceive recipients into trusting fraudulent instructions.
By carefully managing email visibility and exploiting trust, attackers can execute fraudulent financial transactions, obtain sensitive data, or spread malware without immediate detection.
Without a vigilant employee, these can be difficult to spot and which is why this is at the top of the list as email security measures continues to improve and use machine learning/AI to help detect these.
Compromised Email Threads (Thread Hijacking)
Threat Hijacking is commonly used in addition to BEC as mentioned above, or attackers may be after other objectives. Instead of sending random phishing emails, attackers hijack legitimate email threads by compromising accounts. They reply within ongoing conversations, inserting malicious attachments or links, making the phishing attempt appear more authentic and bypassing traditional filters. This technique increases the likelihood of victim engagement.
Lookalike Domains and Homoglyph Attacks
Attackers register domains that closely resemble legitimate ones, using character substitutions. This technique, known as a homoglyph attack, tricks users into believing they are on a trusted website, making credential theft more effective. These fake domains are often used for credential harvesting or deploying malicious payloads.
Zero-Day Phishing Pages with Dynamic Content
Some phishing pages change dynamically based on the visitor’s IP address, browser, or security software detection. When accessed by security bots, these pages may appear harmless, but when visited by a potential victim, they display a phishing login form. Attackers can also integrate fingerprinting techniques that detect security tools and adapt page content accordingly. Additionally, they may inject fake error messages to mislead security analysts or redirect victims to fake login pages that closely mimic legitimate sites.
Attackers may also hijack a legitimate site with a good reputation instead of registering a new domain (which raises eyebrows to security) and conduct credential harvesting to circumvent security measures.
HTML Smuggling
This technique allows attackers to bypass security filters by embedding malicious payloads within HTML or JavaScript code. When users open the email or attachment in their browser, the script reconstructs the payload, delivering malware or phishing pages directly to their system. Unlike traditional attachments, HTML smuggling doesn’t rely on external downloads, making it harder for endpoint security tools to detect. Attackers often use this technique to distribute malware, such as remote access trojans (RATs) or ransomware, without triggering antivirus.
Some phishing campaigns also leverage HTML smuggling to deploy credential-stealing malware disguised as legitimate login portals, making it a highly effective evasion tactic. We’ve seen these types of attacks from APT29 using HTML smuggling to deliver malware through a Cobalt Strike C2 which started with an HTML attachment reconstructing a malicious Javascript blob upon opening which generated an executable Windows binary that bypassed email security scans.
Cloudflare Click Boxes and CAPTCHA Evasion
Attachers use Cloudflare click boxes or CAPTCHA challenges to prevent automated security tools from analyzing their phishing pages. By requiring human interaction, these barriers block security bots from effectively scanning and flagging malicious content, allowing phishing pages to remain undetected for longer periods as they require manual inspection. Attackers may also employ JavaScript-based fingerprinting to ensure the phishing site only serves malicious content to actual users while displaying innocuous pages to security crawlers.
This method significantly reduces the chances of detection and takedown by automated threat intelligence services. Some attackers even integrate browser behavior tracking to confirm that the visitor is a real user before displaying the phishing form, making automated detection even more challenging.
Google Forms and Cloud Services Abuse
Cybercriminals leverage trusted cloud-based services such as Google Forms, Microsoft Forms, or Dropbox to host phishing pages. Since these domains are widely trusted, security filters will often fail to block them. Users may receive emails linking to these legitimate services, where they are prompted to enter sensitive credentials. Some attackers also use Google Docs or OneDrive to host malware payloads, making them harder to detect.
Additionally, some phishing attempts exploit document-sharing features in cloud platforms to send automated email invitations, further increasing the legitimacy of the attack. It’s common to see fake invoices that direct users to a One Drive hosted file, or phishing sites on Amazon S3 or Azure blob storage. In order for these type of attacks to be detected, they require manual inspection by security departments.
QR Codes in PDFs or Images
Attackers embed QR codes in PDF attachments or images instead of traditional phishing links. Since email security filters primarily scan text-based content and URLs, QR codes often evade detection. Typically users will take their smartphone out and scan the QR code which contains the malicious link.
Most smartphones don’t have traditional security measures that computers are implemented with lack web security, EDR or firewall security as other ways to detect malicious intent. Once scanned, these QR codes direct victims to malicious websites designed to harvest credentials or distribute malware.
Combo for the Win:
Attackers continuously refine their techniques to bypass email security measures, leveraging new tactics to evade detection. Attackers will typically use any of the methods above in combination in order to further obfuscate their attack. This is commonly seen where attackers may use a BEC along with thread hijacking along with CAPTCHA evasion, QR codes and cloud services. Employees are the most vulnerable part of the attack chain and also the most important defenders.
Organizations should adopt a multi-layered defense strategy, including:
- Employee awareness training on emerging phishing techniques
- Advanced threat intelligence and email filtering solutions
- Multi-factor authentication (MFA) to prevent unauthorized access
- Continuous monitoring and reporting mechanisms for suspicious emails
By staying informed and vigilant, organizations can better protect themselves against sophisticated phishing attacks.
