Dr Martin Krämer, Security Awareness Advocate at KnowBe4
Phishing has become one of the most dangerous gateways for modern cybercrime – and has proven one thing above all else: adaptability. Where companies rely on sophisticated protective measures such as secure email gateways (SEGs), attackers exploit their weaknesses in a targeted manner. Attack methods are becoming increasingly sophisticated and dynamic – which is why now is the time to think about new defence strategies.
How phishing circumvents SEGs
Cybercriminals take a strategic approach. They analyse how SEGs work in detail and develop their campaigns to circumvent verification mechanisms. Four key tactics can be identified, some of which complement each other and are becoming increasingly difficult to defend against:
- Time-delayed payloads
A tried-and-tested method is to ensure that malicious content is not activated immediately after email delivery. For example, phishing emails contain links that only lead to malicious websites hours later, or files whose malicious code only unfolds after download. Since SEGs primarily scan emails upon receipt, the threat remains undetected. - Use of legitimate platforms
Attackers deliberately use well-known and trusted services such as Microsoft SharePoint, OneDrive or Google Docs to hide their malicious links. This tactic exploits the good reputation of such domains to avoid being blocked by SEGs – even though the malicious component is hidden behind seemingly harmless URLs. - Social engineering without classic malware
Business email compromise (BEC) attacks in particular show how effective phishing can be without technical signatures. Attackers pose as supervisors or business partners and persuade employees to disclose sensitive information or initiate payments – without any attachments or conspicuous links. - Phishing using only text without URLs or attachments
Some attacks do not use any links or attachments and imitate legitimate internal communications, such as deceptively genuine invoices or delivery instructions. Since these emails do not contain any conspicuous indicators, they appear uncritical to traditional gateway solutions and reach the recipient without any problems.
These targeted techniques clearly show that the traditional perimeter approach, in which emails are checked upon receipt and then released, is no longer sufficient today. Attackers think for themselves – and are unfortunately often one step ahead.
Protective measures
Today, only cloud-based, AI-supported security solutions that go far beyond a one-time check when emails arrive offer effective protection. They analyse content and communication behaviour, recognise atypical patterns, adapt dynamically to new attack techniques and respond in real time to suspicious activities. But technology alone is not enough. It is equally important to provide targeted and ongoing training for employees – for example, in recognising manipulated content, fake senders or unusual wording. Only when intelligent prevention is combined with human vigilance can an effective defence against sophisticated phishing attacks be established.
