Most Phishing Campaigns Evade Traditional Filters

by Justin Erickson

An industry analysis published by Bleeping Computer highlights a fundamental gap in today’s anti-phishing defenses. Because most email and web filters rely on indicator-of-compromise (IoC) blocklists—domains, URLs, and IP addresses that are already known to be bad—each new phishing site looks “zero-day” to security tools until someone is hit and the IoC is shared. Attackers now pair unique and novel approaches with kits that bypass multi-factor authentication, leaving users exposed during the critical first hours of a campaign. They argue that prevention must shift from static lists to identity security solutions that flag suspicious login pages as users access them – even when the domain has never been seen before. Until then, organizations should expect a continuing race in which phishing emails reach inboxes before blocklists catch up. There are a few ways to stay safe from these attacks: double checking domain names, verifying the message sender’s information, manually typing the URL of the login site you need to access, and when in doubt, refraining from entering your login credentials to the site. These types of phishing attempts can only be successful if the user willfully enters their information.