Sophisticated phishing campaigns have been identified that avoid detection by ensuring that only approved targets are funneled to the phishing pages where login credentials are harvested. In a standard phishing campaign, a threat actor sends out tens of thousands of phishing emails to an email list. Many lists are freely available but can also be purchased cheaply on dark web marketplaces. This approach is often referred to as spray and pray – send out large numbers of untargeted emails in the knowledge that a small but significant number of individuals will respond.

A variety of lures and social engineering techniques are used to trick the recipient into clicking a link in the email that directs them to a phishing page. The phishing page mimics a well-known company and informs the victim that they need to provide their login credentials to access the content they are expecting. When credentials are harvested, they are captured and used to log in to the user’s account. The phishing infrastructure used by threat actors is often identified and the URLS are added to real-time blacklists, after which they will be blocked by email security solutions. Phishing pages are often detected by crawlers and sandboxing environments and once a phishing page is added to a real-time blacklist, far fewer individuals would be directed to the page. The threat actor would then need to switch to a clean URL, one that has not been previously detected, to continue with the campaign.

One new technique recently observed in phishing campaigns involves limiting redirects to phishing pages to ensure that only approved targets access the phishing pages, helping to prolong the lifespan of the phishing pages by preventing them from being accessed by crawlers and sandbox environments. To analyze potential phishing pages, test credentials are entered. A legitimate login page would reject the credentials since they are invalid, but a phishing page would generally capture the data and redirect the user to a URL of the threat actor’s choosing. That could be the genuine login page of the service they are impersonating. The new technique validates the email addresses that are entered. If the email address is not on the original phishing list, the login attempt will be rejected and there will be no redirect to the phishing page, thus preventing analysis.  This is achieved by adding validation scripts to phishing pages capable of validating email addresses in real-time or alternatively through API integrations. While this approach adds sophistication that would likely be unavailable to less skilled cybercriminals, these tools are now being included in phishing kits. Phishing kits provide the infrastructure so that even low-skilled cybercriminals can conduct highly sophisticated phishing campaigns. The kits, which can be used for a fee, can also include tools to bypass multi-factor authentication.

The increasing sophistication of phishing campaigns means businesses need to implement sophisticated phishing defenses, which means adopting a defense-in-depth approach with multiple overlapping layers of protection. In practice, that means a spam filtering service to prevent phishing emails from reaching their intended targets. Advanced spam filters for incoming mail, such as SpamTitan, incorporate multiple layers of protection by analyzing every aspect of incoming emails and subjecting them to in-depth analysis to validate their legitimacy. This includes antivirus engines for malware detection, email sandboxing for in-depth analysis of files to identify novel malware, and AI and machine learning to identify phishing and other malicious content, including checks of how an email deviates from typical emails received from a business. The SpamTitan enterprise spam filter also includes multiple validation checks of the sender’s email and domain, greylisting to initially reject messages and request resending to block spam, and allow-listing, blocking, and dedicated blocklists created through extensive threat intelligence gathering.

An anti-phishing solution is recommended for Microsoft 365 environments to catch the malicious emails that Microsoft often misses. The PhishTitan anti-phishing solution integrates seamlessly with Microsoft 365, blocking more threats by augmenting Microsoft’s defenses with the same engine that powers SpamTitan. PhishTitan also adds banners to inbound emails from external sources to alert users to potential risks and combats spoofing and masking by rewriting URLs, showing their true destination. In independent tests, TitanHQ’s email security suite has been proven to provide exceptional protection against phishing, spam, and malware with 100% detection rates in Q4, 2024, and more than 99.99% accuracy in Q1, 2025.

Multifactor authentication should be configured for all email accounts to provide an additional layer of protection, and all users should be provided with ongoing security awareness training. For the most effective training, it should be conducted continuously in small chunks each month rather than an annual training session. A phishing simulator should also be used to reinforce training and identify individuals who fail to recognize phishing attempts to ensure they can be provided with the additional training they need. The SafeTitan security awareness training and phishing simulation platform makes this easy for businesses.

Give the TitanHQ team a call for more information on increasing the sophistication of your email defenses. All TitanHQ solutions are also available on a free trial to allow you to put them to the test in your own environment before making a purchase decision.