Types of Phishing Emails That Fly Under the Radar

Very few areas of cybercrime measure up to phishing in terms of the global footprint. The FBI says it accounted for the largest number of victim reports submitted to its Internet Crime Complaint Center (IC3) in 2020. The financial losses incurred by organizations due to business email compromise, which is a peculiar form of phishing, amounted to a jaw-dropping $1.8 billion last year. According to Verizon’s report, 36% of data breaches recorded in 2021 involved phishing.

What makes this foul play so lucrative? It comes down to the human element, which is the weakest link in the average enterprise’s digital posture. It’s not software or hardware vulnerabilities that cybercrooks exploit the most. It’s the user, with their pain points, gullibility, and a lack of security awareness.

Thankfully, email filters are increasingly effective in identifying and blocking messages that try to fool recipients into clicking a contagious link, downloading a malicious attachment, or disclosing sensitive information. Under the circumstances, phishers are masterminding new tricks to bypass these barriers.

Emails That Mimic World-Famous Financial Organizations


In a campaign that broke out in the summer of 2020, a cybercriminal gang targeted companies with deceptive messages impersonating major banks, such as Citigroup or the Bank of America. These emails instructed recipients to update their personal information on a page masqueraded as the official site of the financial organization whose services they were using. To look legitimate, the fraud involved an interstitial web page that asked users to specify their security challenge question.

Many phishing protection tools allowed these emails to reach their targets, although they came from @yahoo.com rather than the bank’s actual domain, which is something that should instantly raise a red flag. How so?

First off, this scam only focused on a few employees in a company. Since traditional email filters are on the lookout for many identical or similar messages with suspicious content, several ones are likely to go undetected.

The fact that these emails were sent from a personal Yahoo account threw a spanner in the works as well. That’s because classic verification mechanisms, such as Domain-based Message Authentication, Reporting, and Conformance (DMARC) and Sender Policy Framework (SPF), didn’t identify a domain spoofing attempt.

Lastly, the knock-off website of the bank had been registered shortly before the hoax started making the rounds, and therefore it didn’t end up in blacklists yet. It also used a valid TLS certificate. These simple techniques, combined with some pressure in the message body, allowed the phishing wave to flow through and dupe some recipients into handing over their confidential data.

Malicious ZIP Files in Disguise

If you are familiar with the ZIP format principle, you probably know the End of Central Directory (EOCD). It indicates the final element of an archive’s structure. In an ideal world, these compressed file packages contain a single EOCD value. However, malicious actors have learned to create archives with two parallel structures, one of which is hidden in plain sight.

Secure Email Gateways (SEGs) come with decompression features that examine all ZIP files before users can open them. In the double-EOCD scenario, though, the only part available for inspection is the harmless “red herring” structure that passes all the checks with flying colours. Meanwhile, the obfuscated hierarchy is loaded behind the scenes, executing a remote access tool (RAT) on the recipient’s computer.

The Use of a Foreign Language to Confuse Protection Tools


Most anti-phishing systems are configured to identify phishing templates in English or the client company’s language for business correspondence. To dodge this obstacle, some crooks send emails in Russian and include a phrase that encourages the would-be victim to use an online translation service. As a result, these messages arrive at inboxes without hindrance, and overly curious users may get on the hook after reading the translated text.

Reversing HTML Code

One more stratagem in this genre of cybercrime involves changing the text direction in the source code of a message. This way, email filters ignore it because its structure doesn’t overlap with known phishing samples. When such an email is received, it is rendered properly to the user.

To pull this trick, black hats often mishandle Cascading Style Sheets (CSS), a programming instrument that specifies how HTML elements should be rendered on the screen. It allows incorporating Latin and Arabic text in the code of the same email and using the two formats interchangeably. The fact that these scripts flow in opposite directions makes it easier to implement treacherous reversing.

Weaponizing Hacked SharePoint Accounts

Checking messages for dubious links is an inalienable component of SEGs’ protection logic, and perpetrators know it. To steer clear of this mechanism, they may embed URLs of legitimate cloud services. For instance, phishers often piggyback on SharePoint sites they have unauthorized access to. Email filters trust resources hosted on this collaborative platform from Microsoft, and therefore such messages get the green light to reach victims’ inboxes.

If a user takes the bait by clicking the link that supposedly points to an important work document, they will see a malicious OneNote file with unintelligible content. To read it, the person is instructed to follow another hyperlink, which brings him to a credential phishing page disguised as the OneDrive for Business sign-in portal after several web redirects. Predictably, the authentication details entered there end up in criminals’ hands.

Are You Vigilant Enough to Fend Off Phishing Attacks?

The use of anti-phishing tools is half the battle. These solutions sift through all the incoming emails and automatically stop most social engineering attempts in their tracks. The problem is that threat actors are constantly contriving new methods to hoodwink these defences. Therefore, a great deal of protection is up to you. The following recommendations will help you avoid the peril:

  • Refrain from clicking links embedded in emails, even if they look trustworthy.
  • Don’t load email attachments sent by strangers.
  • Before typing your username and password in a sign-in form, ascertain that the page uses an encrypted connection (HTTPS).
  • If an email impersonates a trusted organization and asks you to provide personal information, check it for misspellings and other mistakes – these are telltale signs of a scam.
  • Ignore messages that tell you to do something urgently.
  • Having received a wire transfer request from a colleague, always make doubly sure it is legitimate. There is no harm in giving the person a phone call or discussing this in person.
  • Don’t post too much personal data on social networks, as it can be used to build a profile of you and orchestrate a highly effective targeted phishing attack.
  • Keep your firewall enabled and use a security application with a phishing protection feature.

To recap, email filters cannot completely safeguard you and your organization against the scourge of phishing. Some of these messages will undoubtedly get around this layer of protection, and then the outcome is a matter of your security awareness. Email hosting from a reputable web host like HostPapa can help you lower the risk of phishing with services such as Phishing Protection. To be a moving target, use the above tips and never stop honing your ability to identify such frauds.

David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs MacSecurity.net and Privacy-PC.com projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with a recent focus on ransomware countermeasures.

decorative squiggle

Skyrocket your online business with our powerful Shared Hosting

Shared Hosting from HostPapa is suited for all your business needs! No‑risk 30‑day money‑back guarantee. 99.9% uptime guarantee. 24/7 support. Free setup & domain name.†

Related Posts

HostPapa Mustache