Image by Captainverify

Beyond Email Phishing

By Mandem | Deus Ex | 23 Oct 2025


Moving outside the inbox to rethink security posture

 

Cybercriminals have for long evolved beyond email-based phishings because organizations have improved their email security and attackers recognize that trust exists across all communication channels. This means attackers have shifted from bypassing a technology (traditional email filters) to targeting whole ecosystems.

Hacker groups target senders (our bank, our boss or our friend), platforms (Slack, LinkedIn, Google Search..) or daily functions (paying a bill, downloading software, viewing a menu..). Gaining access to a Single Sign-On (SSO) provider like Okta, Microsoft Entra ID (Azure AD) or Google Workspace is the ultimate prize for an attacker. It’s not just a key; it is the master key to the entire digital kingdom.

The New Risk Landscape

Modern phishing methods now exploit the platforms people use and trust most in their daily lives from text messages and social media to collaboration tools and even QR codes. This expansion creates more attack surfaces and makes detection even more challenging. Also, sophisticated phishing kits have evolved significantly and incorporate sophisticated techniques to bypass security measures and effectively target victims.

Notable phishing kits include FishXProxy, which allows novice attackers to execute sophisticated email campaigns with features like dynamic attachment generation and anti-bot systems. A second tool is Salty2FA that specializes in multi-stage phishing, dynamically branding its pages to match corporate identities and employing session-based subdomains for enhanced evasion. Another well-known Attacker-in-the-Middle (AitM) kit is Evilginx. It enables seamless credential harvesting by bypassing modern authentication systems while keeping users unaware of the threat altogether.

When multi-vector phishing attacks circumvent email security, they render traditional detection, reporting measures ineffective and create a massive challenge for SOC teams. To combat this, security has to analyse the network layer and webpage presented to users after an attack. This involves reconstructing browser behavior by examining network traffic to understand the HTML content displayed.

However, many phishing kits, particularly sophisticated Attacker-in-the-Middle (AitM) tools, complicate this process. They use various techniques like DOM obfuscation, page obfuscation, and code obfuscation, resulting in a tangled mass of JavaScript that obscures useful information at the network layer, making it difficult for teams to decipher the actual content seen by victims.

  1. DOM obfuscation hides malicious scripts from detection by creating complex hierarchies or using non-standard element naming. By altering how elements are structured and interacting, DOM obfuscation makes it difficult for security tools to parse and understand the page’s layout.
  2. Page obfuscation involves altering the visible content and structure of a webpage through various coding techniques, such as replacing standard HTML tags. The purpose of this approach is to make it challenging for security measures and analysts to identify the true nature of the page, thereby preventing straightforward detection of malicious activities.
  3. Code obfuscation alters the actual JavaScript code utilized on a webpage by renaming variables, controlling the flow, and inserting misleading snippets that serve no functional purpose. The aim of this technique is to conceal the code’s true intent and functionality, complicating efforts to analyze the underlying logic and identify any malicious activities.

Multi-vector phishing attack can also leverage Geotargeting (location-based phishing) and Conditional Payload Delivery which are two sophisticated techniques that make these campaigns highly effective and difficult to detect.

  1. With Geotargeting, attackers use IP geolocation databases to serve different content based on the visitor’s perceived physical location. This increases credibility, evades many automated scanners and ensures only the most likely victims see the malicious content.
  2. Regarding Conditional Payload Delivery, it is a form of “cloaking” where the phishing site behaves differently based on specific characteristics of the visitor (e.g., IP range/reputation, time-based delivery, specific cookie..). A common conditional trigger is a payload that only loads if the visitor arrived from a specific link in a targeted email campaign (HTTP referrer header: campaign-specific-url.com). If someone types the domain directly or arrives from a search engine, they will see a blank page or a harmless error. The attack can also check if the visitor is using a common browser like Chrome or Firefox versus a command-line tool like curl or a virtual machine browser used by sandboxes.

Below is a condensed scenario that combines these sophisticated techniques into a single, multi-layered phishing attack that would be extremely difficult to detect and prevent.

Objective: To steal corporate banking credentials and, crucially, bypass Multi-Factor Authentication (MFA) from the Finance Department of target “Global Corp Inc.”

Execution Method: A coordinated, multi-phase attack blending social engineering and advanced technical evasion:

  1. Multi-Channel Lure: Employees receive a coordinated urgent message via SMS (Smishing) about a payroll issue. This is reinforced by a Teams message from a compromised colleague and an AI-voiced phone call (Vishing) for legitimacy.
  2. Phishing Kit: The link leads to a site running an Attacker-in-the-Middle (AitM) kit like Evilginx which proxies the real corporate login page.
  3. Credential & Session Theft: When employees enter their credentials and complete the MFA challenge, the AitM kit steals the resulting session cookies, giving the attacker full, authenticated access without needing the password or MFA again.
  4. Advanced Evasion: The attacker group uses geotargeting and conditional payloads to remain hidden from security analysts and automated scanners, while code obfuscation techniques make forensic analysis of the phishing page extremely difficult.

Outcome: The attacker gains undetected access to the corporate network and banking systems with the same privileges as the legitimate employees. This eventually leads to fraud and data theft. This scenario demonstrates how modern phishing circumverts traditional email security and makes stolen credentials useless by targeting the session itself.

Organizations struggle to respond to non-email phishing attempts, lacking the ability to report, recall or quarantine attempts occurring outside traditional email channels (e.g., social media and messaging platforms). They are also facing rapidly rotating phishing domains that make URL blocking ineffective. This highlights the need for more advanced strategies and proactive measures to combat these evolving threats.

Breaking the Cycle

Technical controls are playing catch-up and trying to extend protection to these new, fragmented and personal channels. Yet they are inherently less effective than they were in the walled garden of corporate email.

For this reason, a robust defense now depends on combining many elements into an integrated and adaptive system:

  • A Massive Cultural Shift: It consists in building the human firewall as primary control. With the onset of AI-powered attacks (deepfakes or flawless content), it is important to deliver continuous, engaging security awareness training that covers not just email but ALL communication channels. In military terms, it is equivalent to moving from a static “Maginot Line” defense paradigm to a dynamic and adaptable “Blitzkrieg” security posture.
  • Adapted Technical Controls: Mobile Device Management (MDM) with browser filtering, specialized security for collaboration platforms and DNS filtering that covers off-network devices. Client-Side Browser Security or Real-Time Phishing Protection allow the page to start loading and then monitor what it does (behavior and intentin real-time within the user’s actual browser session. If malicious behavior is detected, the tool blocks the action immediately.
  • Phishing-Resistant MFA: With the blurring of personal and professional life with teleworking, it is necessary to make stolen credentials gained through these new phishing attacks useless.
  • Secure Web Gateways (SWG) with Advanced Threat Protection (ATP) : Certain modern security tools (e.g., Proofpoint, Microsoft or Palo Alto Networks) act as “undercover agents” and can now execute complex analysis, mimicking human behavior from different geographic points to try and trigger the conditional payload but it’s a constant arms race.
  • Zero-Trust (ZT) Policies: Assuming breach and verifying every access request regardless of its source. “Trusted” and unmonitored channels (SMS, Teams, QR Codes) must be verified constantly. The same goes for encrypted channels (WhatsApp, iMessage, Signal, Telegram..) that are exploited due to their end-to-end encryption and for which no security scanner can inspect the content of the messages for malicious links.

Here is a second scenario that illustrates how the above defensive strategy would work in practice to thwart the sophisticated “Multi-Platform Corporate Onslaught” attack we discussed earlier.

Attack Recap: Attackers use a coordinated SMS & Teams message to lure one or several finance employees to a geotargeted, AitM phishing site designed to steal SSO credentials and session cookies to breach the company’s bank account.

Here is how the integrated defense system responds:

Layer 1: The Human Firewall & Initial Detection

Sarah is an employee of the finance department. She receives coordinated phishing messages via SMS and Microsoft Teams. Due to recent security training covering multi-channel threats, she recognizes the attack patterns (urgency, credential requests and multi-platform coordination). She immediately reports the incident to the SOC Team.

Layer 2: Adapted Technical Controls & Client-Side Protection

If Sarah clicks a malicious link, the organization’s layered technical defenses activate. DNS filtering first flags the suspicious domain, prompting client-side browser security to analyze the page’s behavior. This analysis detects the AitM attack pattern through unauthorized form routing and triggers an automated block that prevents credential entry. This demonstrates how integrated controls create a critical safety net, neutralizing threats directly in the browser despite user action.

Layer 3: Phishing-Resistant MFA

In a variation, the AitM site is so sophisticated it loads and Sarah enters her username and password. The company uses FIDO2 security keys for phishing-resistant MFA. When the fake page prompts for MFA, Sarah plugs in her key. The cryptographic handshake between the key and the website fails completely because the key’s unique signature only works with the legitimate company domain. Authentication is halted. The stolen password is useless. The AitM attack is neutralized at its most critical stage.

Layer 4: Advanced Threat Protection & Intelligence

Meanwhile, the company’s Secure Web Gateway (SWG) with ATP has its “undercover agents” scanning the reported URL. An ATP node from a Chicago-based IP, using a standard Chrome browser and the correct referrer header, successfully triggers the conditional payload. It captures the fake login page, analyzes it and confirms it as a high-fidelity phishing site. The SWG automatically updates its global policy and blocks the domain for all other employees within minutes. The attack is contained and neutralized at the network level thus protecting the entire organization.

Layer 5: Zero-Trust Policies (containing a hypothetical breach)

Let’s imagine a worst-case scenario where an attacker somehow obtains a valid session cookie. The company’s ZT policy is enforced. The access request to the banking portal from a new IP and without the required device compliance certificate is directly flagged. The system prompts for step-up authentication. The attacker, lacking the physical security key, cannot proceed. Consequently the session is terminated and an alert is sent to the SOC. Even with a stolen session, the attacker’s movement is severely restricted and the breach is contained.

Conclusion of this defense scenario

This is actually an ideal scenario but Sarah might miss the signs, the client-side tool might be evaded by a novel technique or the ATP might take a few minutes to analyze the site. However, by integrating these layers, the defense creates a system of overlapping safeguards where the failure of one control is caught by another.

Among key limitations of this defense strategy, defenders must protect all points while attackers only need one flaw. Also, implementing an integrated security stack (e.g., ZTNA, ATP, MDM..) is prohibitively expensive and complex for many organizations especially SMBs. And even trained users can still be manipulated under pressure.

Acknowledging the limits of any strategy is therefore crucial for its successful implementation. It must be clear that these defense guidelines do not eliminate the threat of multi-vector phishing but help to manage and contain it.

In essence, the above strategy moves from trying to block every type of malicious messages which is unrealistic to rendering stolen data useless and preventing unauthorized actions via ZT. All this while making the user a more savvy and skeptical partner in the process. This integrated, adaptive system can successfully break the attack cycle and transform a potential catastrophic breach into a managed security incident.

About Me

I am a Blue Team SecOps analyst in the FinTech insurance sector. My focus is on safeguarding sensitive assets by applying threat-informed defense strategies and ensuring strict adherence to industry standards (e.g., ISO 27001, ISO27701, NIST).

   

How do you rate this article?

10


Mandem
Mandem

Belgian Catholic, Digital Artist & Crypto enthusiast


Deus Ex
Deus Ex

About anything

Publish0x

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.