Phishing Evasion: Bypassing Email Security

Email remains the primary initial access vector for the majority of cyberattacks, and phishing campaigns have evolved dramatically to evade modern email security controls. As a penetration tester who regularly conducts phishing assessments, I have seen firsthand how sophisticated evasion techniques can bypass even well-configured email security stacks. Understanding these techniques is not about teaching attackers new tricks but about helping defenders evaluate and strengthen their email security posture. This post covers MITRE ATT&CK technique T1566 (Phishing) and its sub-techniques, providing actionable defensive guidance.

The Modern Email Security Stack

Before examining evasion techniques, it is important to understand what defenders are working with. A mature email security stack typically includes multiple layers of protection. Secure Email Gateways perform initial filtering based on sender reputation, content analysis, and attachment scanning. Cloud-based email security solutions add machine learning-based detection and sandboxing capabilities. URL rewriting and time-of-click analysis protect against malicious links. SPF, DKIM, and DMARC provide sender authentication. Each layer catches different threats, and the combined defense is significantly stronger than any individual component. Attackers must evade all layers simultaneously, which is why understanding the complete stack matters for both sides.

Attachment Evasion Techniques

Malicious attachments remain a powerful delivery mechanism, and attackers have developed numerous techniques to smuggle them past email security scanning.

• Password-protected archives (T1566.001) - Encrypting malicious files within password-protected ZIP or RAR archives prevents email security solutions from scanning the contents. The password is typically included in the email body. Defenders should configure their email gateway to quarantine or flag password-protected archives, especially when the password appears in the same email. While this may create some friction for legitimate use cases, the security benefit is significant.
• Embedded OLE objects - Attackers embed malicious code within Object Linking and Embedding objects inside Office documents. These objects may appear as icons or embedded files within a seemingly benign document. Defenders should configure email security to detect and block Office documents containing OLE objects from external senders, and ensure that endpoint protection monitors for OLE object activation.
• HTML smuggling (T1027.006) - This technique delivers malicious payloads by encoding them within HTML email content or attachments. When the user opens the HTML file, JavaScript assembles the malicious file locally in the browser, bypassing email security scanning because the malicious content never exists as a scannable attachment. Defenders should block HTML attachments from external senders where possible and ensure browser-based protections can detect HTML smuggling patterns.
• Macro obfuscation - While many organizations now block macros by default, attackers still target environments where macros are enabled by heavily obfuscating the VBA code to evade signature-based detection. Defenders should enforce macro blocking via Group Policy for all documents from the internet using the Mark of the Web mechanism, and implement AMSI scanning for any macros that are permitted to execute.

Link Evasion Techniques

Malicious links are often preferred over attachments because they leave fewer artifacts and can be updated after delivery. Attackers use several techniques to disguise malicious URLs.

• URL shorteners and redirect chains - Attackers use legitimate URL shortening services and multiple redirects to obscure the final destination URL. Email security solutions that only check the initial URL may miss the malicious endpoint at the end of the redirect chain. Defenders should deploy email security that follows redirect chains to their final destination and implement time-of-click URL analysis that re-checks URLs when the user actually clicks them, not just when the email is delivered.
• Time-delayed content - Attackers configure their landing pages to serve benign content when initially scanned by email security solutions, then switch to malicious content after a delay. This defeats pre-delivery scanning because the URL was clean when checked. Time-of-click protection that re-evaluates URLs at the moment of user interaction is the primary defense against this technique.
• Geo-targeted and fingerprinted pages - Sophisticated phishing pages check the visitor's IP address, user agent, and other characteristics. If the visitor appears to be an automated scanner or is located in a region where email security vendors operate, the page serves benign content. Only visitors matching the target profile see the phishing page. Defenders should ensure their URL analysis solutions use residential IP addresses and realistic browser fingerprints to avoid being detected as scanners.
• QR code phishing - An increasingly common technique where the malicious URL is embedded in a QR code within the email. Since most email security solutions do not scan QR codes in images, the malicious URL passes through undetected. Defenders should deploy email security that can decode and analyze QR codes embedded in email images and educate users about the risks of scanning QR codes from emails.

Sender Reputation Evasion

Email security relies heavily on sender reputation to filter malicious emails. Attackers have developed techniques to appear as trustworthy senders.

• Compromised legitimate accounts - Using compromised email accounts from legitimate organizations provides the attacker with the full sender reputation of that organization. SPF, DKIM, and DMARC all pass because the email genuinely originates from the legitimate mail server. Defenders should implement anomaly detection that identifies unusual sending patterns from known contacts, such as unexpected attachment types, unusual sending times, or requests that deviate from normal communication patterns.
• Aged domains with proper authentication - Attackers register domains months in advance and gradually build their reputation by sending legitimate traffic before launching phishing campaigns. They configure SPF, DKIM, and DMARC correctly to pass all authentication checks. Defenders should supplement authentication checks with domain age analysis and newly registered domain monitoring. Domains less than 30 days old used in incoming email should receive additional scrutiny.
• Thread hijacking - After compromising an email account, attackers reply to existing email threads with phishing content. Because the reply appears within a legitimate conversation thread, recipients are more likely to trust it and email security may score it lower risk. Defenders should implement content analysis that evaluates the nature of replies within threads, flagging responses that contain unexpected attachments or links within otherwise normal conversations.

Detection and Defense Strategies

Building effective phishing defense requires a layered approach that combines technology, processes, and user awareness. Here are my recommendations based on extensive phishing assessment experience.

• Deploy comprehensive email authentication - Implement SPF, DKIM, and DMARC for your own domains with a reject policy. This prevents attackers from spoofing your domain and protects your brand reputation. Monitor DMARC reports to identify unauthorized use of your domain.
• Enable time-of-click URL protection - Ensure that URLs are re-analyzed when users click them, not just when the email arrives. This defeats time-delayed content swapping and catches URLs that become malicious after delivery.
• Implement attachment sandboxing - Deploy email security that detonates attachments in a sandbox environment before delivery. This catches malicious macros, embedded objects, and other payload types that static analysis might miss. Ensure the sandbox can handle password-protected archives by extracting passwords from the email body.
• Conduct regular phishing simulations - Test your users and your email security stack simultaneously. During my phishing assessments, I document both what bypasses the technical controls and which users fall for the social engineering. This dual focus provides actionable data for improving both technology and training.
• Establish reporting mechanisms - Make it easy for users to report suspicious emails. A well-designed report button in the email client, combined with rapid triage by the security team, creates a human detection layer that catches what automated systems miss. Recognize and reward users who report effectively to build a security-aware culture.

Testing Your Email Security Posture

1. Test against your actual email security stack - Use realistic phishing scenarios during penetration tests that target your specific email infrastructure. Generic phishing tests that do not account for your security controls provide limited value.
2. Include user awareness testing - Measure click rates, credential submission rates, and reporting rates. Track these metrics over time to demonstrate the effectiveness of your security awareness program and identify departments or roles that need additional training.
3. Document what bypasses detection - Every technique that successfully reaches a user inbox is a detection gap that needs to be addressed. Work with your email security vendor to close these gaps and verify the fix through retesting.
4. Improve controls based on findings - Translate testing results into concrete configuration changes, new detection rules, and updated user training content. The value of phishing assessments comes not from the test itself but from the improvements that follow.

The Human Element in Phishing Defense

No email security stack is perfect, and some phishing emails will inevitably reach user inboxes. This is why user awareness training remains a critical component of phishing defense. However, training should be realistic and constructive, not punitive. Users who report suspicious emails should be praised, not criticized when they occasionally click. The goal is to create an organizational culture where reporting suspicious communications is natural and expected. During my assessments, I consistently find that organizations with strong reporting cultures detect phishing campaigns faster and limit their impact more effectively than organizations that rely solely on technical controls. The combination of robust email security technology and an engaged, security-aware workforce provides the most resilient defense against evolving phishing threats.