A closer look at modern evasive phishing emails

The prevalence of sophisticated evasion techniques employed by phishing attacks in circumventing anti-phishing and email security measures is on the rise. The present study offers an exhaustive analysis of user-reported phishing messages pertaining to five companies over a ten-month period. These messages are of particular interest as they evaded all state of the art security layers in place and were identified by the recipients themselves. To study these elusive phishing attempts, we developed an analysis infrastructure, CrawlerBox, designed to overcome cloaking tactics that exploit browser fingerprinting and bot detection challenges. CrawlerBox is made available as an open-source tool to assist other researchers in pursuing further studies. Over the course of ten months, we gathered 1,551 user-reported messages that were confirmed to be malicious, with a particular focus on those targeting the harvesting of corporate credentials. Our analysis infrastructure enabled us to scan these messages and crawl any associated web resources, including URLs, embedded HTML, and JavaScript content. Our findings indicate that the majority of observed phishing attacks are low-volume but meticulously planned, exhibiting a high degree of premeditation and strategic preparation. In particular, a substantial number of sites were registered and had obtained TLS certificates several weeks before the attacks in order to avoid being flagged based on their young age, a common practice used by products to defeat phishing websites. Furthermore, it was observed that phishing pages are now safeguarded by advanced evasion mechanisms, such as bot detection services and opensource fingerprinting libraries. Notably, QR codes are increasingly used to embed phishing content. The victim needs to use a personal phone to flash the code and access the site; this activity will typically fall outside the perimeter of the corporate security defenses. These findings underscore the evolving sophistication of phishing threats and the urgent need for resilient systems to counter these advanced techniques, further emphasizing the critical role of robust infrastructures like CrawlerBox in enhancing the security and dependability of email systems.