EXECUTIVE SUMMARY:
Phishing remains one of the most effective attack vectors used by to compromise organizations. By exploiting human psychology and leveraging deceptive tactics, attackers manage to bypass advanced email and endpoint security systems. Despite the continuous improvement of defenses, phishing campaigns continue to successfully infiltrate users' inboxes. Attackers are increasingly using techniques, such as embedding malicious payloads in unconventional file formats and exploiting trusted cloud services, making detection and mitigation more challenging than ever before.
Attackers have adopted several innovative techniques to bypass security tools and successfully deliver malicious payloads. One notable approach involves embedding Base64-encoded JavaScript within SVG files, a commonly used image format that can contain hidden scripts. The attackers obfuscate the payload to evade static detection, with the malicious script redirecting users to phishing sites once decoded. Similarly, malicious URLs have been embedded in hidden PDF annotations, exploiting metadata fields not commonly inspected by scanners. This allows attackers to bypass traditional security tools that rely on visible content scanning. Another tactic involves leveraging trusted cloud-based platforms like OneDrive, where attackers share read-only documents containing dynamically loaded phishing URLs, bypassing static analysis. In addition, phishing content is increasingly hidden within OpenXML documents, such as MHT files, which contain web lures and QR codes that evade detection by traditional scanners.
The evolution of phishing attacks underscores the limitations of current detection mechanisms, particularly those relying on signature-based or pattern-matching approaches. As we continue to leverage non-traditional file formats, cloud services, and complex document structures to conceal malicious content, organizations must adapt by deploying advanced, context-aware detection systems. This shift toward deeper inspection and dynamic analysis is essential to stay ahead of increasingly sophisticated phishing threats. Enhanced security measures are necessary to combat the growing trend of phishing tactics that bypass traditional defenses and put users at risk.
THREAT PROFILE:
| Tactic | Technique Id | Technique |
| Initial Access | T1566 | Phishing |
| Execution | T1203 | Exploitation for Client Execution |
| Defense Evasion | T1027 | Obfuscated Files or Information |
| Collection | T1114 | Email Collection |
| T1115 | Clipboard Data | |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
| Impact | T1486 | Data Encrypted for Impact |
REFERENCES:
The following reports contain further technical details: