Cyberthreats/Incidents

An arms race: how modern email security tools counter the evolution of phishing attacks

Beleii Artem

Beleii Artem

Senior Analyst, International Analytics Group, PT Cyber Analytics

About the report

Phishing has consistently served as a primary initial access vector into corporate infrastructures for many years. Despite the widespread implementation of multifactor authentication (MFA) and substantial corporate investments in spam filtering, email security, and security awareness training, threat actors continue to heavily leverage this attack vector with high success rates.

Simultaneously, another aspect of this cyberthreat is evolving: the phishing-as-a-service (PhaaS) market. Vendors in this space no longer limit themselves to selling static phishing kits; instead, they have transitioned to full-fledged product pipelines. Their offerings now feature admin panels, bot integration, anti-bot evasion mechanisms, turnkey infrastructure, modules designed to intercept one-time passwords (OTPs) and verification codes, and capabilities for delivering malicious payloads via attachments.

Email remains the primary vector for phishing attacks, making its protection a top priority. Modern security tools and a well-architected perimeter defense successfully block a substantial volume of automated, mass-scale attacks while mitigating the risks of domain spoofing and malicious attachment delivery. Nevertheless, cybercriminals continuously increase the sophistication of their tactics and learn to bypass these defenses. This evolution is driven in part by the advancement of phishing campaign infrastructure and the PhaaS model, which collectively undermine the efficacy of traditional security solutions.

This report explores the core capabilities of email security systems, alongside the potential blind spots that threat actors can exploit.

Report objectives:

  • Analyze phishing attack trends and key metrics for 2025.
  • Examine dark web forum data to illustrate the current economic state of the phishing-as-a-service (PhaaS) market.
  • Map out modern email phishing attack chains and detail the evasion techniques cybercriminals use to bypass security controls.
  • Identify and compare the core capabilities of modern email security tools.

This report contains data on both active and defunct dark web forums. The findings are based on Positive Technologies' internal expertise, reports from leading cybersecurity vendors, data from popular cybercriminal underground platforms, and open-source information from government security services and law enforcement agencies. Additionally, we analyzed intelligence gathered from the Telegram channels of cybercriminal groups and hacktivists.

The goal of this report is to raise awareness among enterprises, government organizations, and individuals interested in cybersecurity regarding the latest phishing tactics and effective defensive measures. The terminology used throughout this report can be found in the glossary on the Positive Technologies website.

Summary

Based on our analysis of phishing campaigns, dark web activity, and the capabilities of modern email security tools, we have drawn the following key conclusions for this report:

  • Phishing remains a primary vector for initial access.

The volume of targeted phishing attacks against organizations continues to rise. Social engineering (accounting for 47% of successful global cyberattacks in 2025), coupled with malware deployment (present in 70% of successful cyberattacks), remains the leading method for corporate compromise. Even when security tools are deployed, attack success often hinges on human error and misplaced user trust.

  • Email remains a primary vector for initial access, yet it is no longer the sole focus of the attack chain.

In 2025, 80% of social engineering attacks against organizations leveraged email. However, modern phishing campaigns employ a multivector approach where the initial email is merely the starting point. Subsequent stages of the attack often pivot to mobile devices, instant messengers, web resources, or the hijacking of user sessions.

  • Malware serves as the primary weapon for attacks against organizations, with email acting as a critical distribution channel.

In the majority of incidents (70% in 2025), cybercriminals utilized malware to gain initial access to corporate infrastructure, establish persistence, or facilitate lateral movement. Email frequently serves as a convenient delivery mechanism for malicious payloads via attachments, HTML files, archives, or embedded links. Consequently, securing the email channel is vital for preventing malware propagation within an organization.

  • Phishing has become a service industry.

The PhaaS market demonstrates signs of a mature ecosystem: the dominance of supply, a more than threefold increase in the median cost of solutions, and the proliferation of comprehensive products that significantly simplify the execution of attacks and accelerate their scaling.

  • Threat actors actively use techniques to bypass traditional filtering mechanisms.

These techniques include the use of QR codes, HTML attachments, short-lived domains, redirect chains, as well as AiTM phishing, which allows intercepting authentication tokens. It is necessary to update security systems in a timely manner to effectively counter current threats.

  • Multi-layered email security is critical.

As phishing toolkits evolve, organizations require a defense-in-depth approach comprising multiple interconnected layers. Essential capabilities include time-of-click URL analysis, deep attachment scanning, URL extraction from images and QR codes, post-compromise mailbox monitoring, and the correlation of email telemetry with Identity and Access Management (IAM) events. Furthermore, rapid incident response capabilities are vital, particularly the ability to purge already delivered emails and revoke active session tokens.

Phishing must no longer be viewed merely as an email-centric threat. Instead, it should be treated as a comprehensive attack vector where the kill chain initiates with an email but progresses across user interactions and the broader corporate infrastructure.

Introduction

In the second half of 2025, an extremely high level of phishing activity was observed: the APWG (Anti-Phishing Working Group) recorded approximately 892,000 attacks in the third quarter and 853,000 in the fourth. Concurrently, the threat landscape evolved: the proportion of attacks leveraging adjacent communication channels expanded, and the frequency of sophisticated campaigns, such as business email compromise (BEC), surged. Over the past year, spam constituted 44.99% of global email traffic. During this period, security tools successfully blocked 144,722,674 malicious attachments and prevented 554,002,207 attempts to access phishing URLs.

These metrics underscore that phishing continues to be one of the most pervasive and resilient threats. The sheer volume of incidents, coupled with the massive scale of blocked payloads and malicious links, highlights the relentless and sustained operational tempo of cybercriminals.

In recent years, phishing has evolved from basic scam emails into a mature, service-driven ecosystem that enables high-volume campaigns. The rise of phishing-as-a-service (PhaaS) has lowered the barrier to entry for threat actors and turned phishing into a scalable capability that can be rapidly tailored to specific targets and objectives.

Figure 1. Example of an underground forum listing advertising a turnkey phishing kit
Figure 1. Example of an underground forum listing advertising a turnkey phishing kit

Attack chains are evolving as well. Email remains a common initial access vector and is often used to establish legitimacy, but it is increasingly just one stage in a broader multi-step workflow. After the initial email, attackers frequently shift execution to follow-on mechanisms such as embedded links, malicious attachments, QR codes, or dynamically generated web content.

Threat actors are increasingly leveraging mobile workflows and BYOD to pull users outside the corporate security perimeter. Common techniques include QR codes and HTML attachments, as well as multi-stage attack chains where the malicious payload is delivered or activated only in the final steps, after initial static inspection has been bypassed.

As a result, email security strategies need to be revisited. Delivery-time filtering alone is no longer sufficient against current threat scenarios, because much of the malicious behavior occurs later in the chain, during user interaction with the content, or after an account has been compromised.

Phishing attack trends

Phishing activity continues to grow year over year. While attacker tooling and tradecraft are evolving, social engineering remains a leading initial access technique used to compromise organizational environments. In 2025, social engineering was the most frequently observed attack method against organizations, accounting for 50% of successful incidents in H1 and 41% in H2 (see Figure 2).

Figure 2. Proportion of successful attacks against organizations involving social engineering

A shift toward messaging apps and multivector attack chains is supported by reporting from multiple security vendors and by our analysis of underground sources. Previously cited APWG data, together with content collected from dark web forums, reinforces our assessment that threat actors are increasingly running phishing lures via messaging platforms and social networks. In this model, email is no longer the sole user touchpoint. Instead, it is increasingly used as one step in a broader engagement workflow, with subsequent victim interaction moved to alternative communication channels.

Figure 3. Example of a Telegram advertisement for cybercriminal services and malware
Figure 3. Example of a Telegram advertisement for cybercriminal services and malware

QR phishing (quishing) is also becoming more prevalent. Attackers increasingly embed QR codes directly in message bodies or PDF attachments and pressure recipients to scan them on a mobile device, shifting the interaction outside the corporate environment and away from many enterprise security controls. As a result, quishing has become a mainstream attacker technique, particularly in mobile-centric campaigns. APWG reported 716,306 unique malicious QR codes in Q3 2025. APWG and other sources also note that traditional email filtering and static inspection are often ineffective against these campaigns. In our previous report, we similarly anticipated an increase in quishing activity. While APWG observed an approximately 9% quarter-over-quarter decline in QR-code-enabled phishing in Q4 2025, we assess this as a likely short-term fluctuation given the overall threat landscape.

BEC (business email compromise) warrants dedicated focus, because relatively minor shifts in attacker tactics can significantly increase the likelihood of successful compromise and downstream business impact. APWG reported a 136% quarter-over-quarter increase in BEC volume in Q4. From a loss perspective, BEC remains among the most financially damaging incident categories. The FBI's Internet Crime Complaint Center (IC3) has consistently highlighted BEC as a major driver of annual losses measured in the billions of dollars. Accordingly, BEC should be managed as a distinct risk area. Effective mitigation typically requires strong controls around finance-related business processes, systematic analysis of business email threads, detection of communication anomalies, and rapid response by security teams.

Phishing defense is growing more complex as the commercial market for phishing solutions matures. The PhaaS model continues to evolve into a full-fledged industry. For instance, Microsoft highlights Tycoon2FA, a platform that employs adversary-in-the-middle (AiTM) phishing, anti-bot mechanisms, advanced code obfuscation, and custom CAPTCHAs. Threat actors can launch these attacks via attachments containing QR codes or malicious JavaScript files. Dark web forum research confirms this trend, showing that the market has shifted from selling standalone phishing pages to offering comprehensive toolkits complete with admin panels, delivery infrastructure, and conversion-optimization modules.

A key component of email-based attacks continues to be the spread of malware, which serves as a means of infrastructure compromise. According to Positive Technologies, attackers used malware in 70% of attacks on organizations, and in 47% of those cases, they distributed it via email. This indicates that a phishing email functions not only as a social engineering tool but also as a delivery mechanism for a malicious payload.

Phishing and malware distribution

While recent years have seen a strong focus on phishing attacks designed to steal credentials and hijack sessions, email continues to serve as a primary vector for malware distribution.

Figure 4. Malware distribution methods in attacks against organizations, 2025

In practice, phishing and malware delivery are rarely separate activities. In many attacks, they form part of a single kill chain, where the email serves as a vector for delivering a malicious attachment or a link that leads to a malware download.

From the attacker's perspective, email remains a convenient channel for malware distribution for several reasons:

  • High likelihood that the user will interact with the email
  • Support for delivering various file types (archives, documents, QR codes, HTML attachments)
  • Potential to conceal the malicious payload within multi-layered containers
  • Use of legitimate email accounts or existing email threads (the attacker injects their malicious message into a prior conversation between legitimate parties)

Even in email campaigns that initially appear to have no malicious links or attachments, malware is often used in later stages. After gaining initial access to the target infrastructure, attackers can deliver additional malicious payloads through the same email channels: for example, by sending exploit-containing documents or archives with loaders. Malicious attachments distributed via email can contain a wide variety of malware types, similar to other attack vectors. Since phishing messages serve as one of the primary malware delivery vectors, the distribution of malware types can be inferred from the overall set of samples observed in attacks.

Figure 5. Malware types observed in attacks against organizations, 2025

Ransomware delivery via phishing campaigns warrants particular attention. In this scenario, a user may trigger a loader, which then downloads the main payload module (often a ransomware variant) to the device. A key characteristic of such attacks is that additional stages may occur between the initial email contact and ransomware execution, including the installation of supplementary modules. This complicates detection, particularly in later stages. Therefore, it is critical to detect the attack at the earliest possible stages (at the email, link, or attachment level) before the attacker establishes a foothold in the infrastructure and before the final payload is delivered.

Given the above, security tools must be capable of analyzing the actual behavior of malware. Many cybercriminals obfuscate malicious files or implement multi-stage loading on the endpoint, making static analysis insufficient to reveal the malware's true intent. Moreover, attackers actively adapt not only to the capabilities of security tools but also to the different operating systems present in organizational environments.

Figure 6. Operating systems affected by malware in attacks against organizations, 2025

This is precisely why dynamic analysis of attachments in an isolated, multiplatform environment (a sandbox) is critical in modern email security systems. This capability is especially important given the evolution of email attacks, as attackers increasingly combine multiple techniques. An email may contain a QR code or an HTML attachment that opens a phishing page or a malicious loader, thereby initiating a compromise chain. For instance, in 2025, researchers uncovered a phishing campaign where attackers distributed emails containing SVG attachments. While such files are typically treated as images, the SVG format is XML-based and can embed HTML and JavaScript code.

When analyzing email-borne threats, phishing should be viewed not only as a social engineering tool but also as a primary delivery mechanism for malicious payloads. In practical terms, this means that effective email security must address two threat categories at the same time:

  • Social engineering and phishing attacks targeting credential theft
  • Delivery of malicious attachments designed to execute malicious code

The combination of these two capabilities—dynamic attachment detonation1 and email content analysis—is what delivers comprehensive email protection and underscores the need to integrate email security with sandbox technologies.

1Malware detonation is a threat analysis technique where suspicious files and links are executed within a secure, isolated environment known as a sandbox.

Dark web and PhaaS: offerings on underground forums and their implications for defense

Phishing as a service (PhaaS) is a subscription-based model that enables cybercriminals to carry out complex phishing attacks. PhaaS providers supply kits containing everything necessary for phishing operations. The market has shifted toward packaged service offerings. What is now being sold is not merely content but a turnkey solution featuring an administrative panel, data collection mechanisms, notifications, anti-bot bypass techniques, and infrastructure support for the entire toolset.

Figure 7. Listing advertising a phishing administrative panel targeting Coinbase
Figure 7. Listing advertising a phishing administrative panel targeting Coinbase

This makes phishing scalable and lowers the barrier to entry: the operator does not need to build an attack chain from scratch. Instead, they can simply pay and connect to the service.

This challenge is not new. Positive Technologies experts have previously highlighted the growth of the PhaaS market, and major platforms such as Lucid and Tycoon2FA showed high activity last year.

In 2025, we observed a rise in the number of publications related to the PhaaS market.

Figure 8. Number of PhaaS-related publications on underground forums and channels in 2024 and 2025

Over the past 12 months, activity on phishing-related forums offering services has remained stable. However, in the first months of 2026, we observed a slight decline. This trend can be attributed to several factors, including the previously predicted reduction in attacker activity on forums and their migration to private channels in messaging apps and social networks. In addition, forums have started enhancing their security mechanisms. For instance, they have implemented non-standard anti-parsing protections such as JavaScript challenges and unusual CAPTCHAs, making them harder to index by information gathering tools.

The PhaaS market is characterized by a significant oversupply relative to demand and a fairly mature ecosystem. Listings are becoming less template-driven and describe a wide range of different tools (see Figures 9, 10).

Figure 9. Example of a listing offering services for purchase
Figure 9. Example of a listing offering services for purchase

Figure 10. Categories of PhaaS-related listings published on the market

Supply exceeding demand typically signals a transition to a mature economy. The PhaaS market is already saturated with providers, competition is high, and the focus of listings has shifted toward automation tools and defense evasion techniques. Nevertheless, prices continue to rise despite the high volume of listings offering phishing solutions or related services (see Figure 11).

Figure 11. Average advertised price per listing (in USD)

The average listing price during this period was approximately 723 dollars. However, this average was heavily skewed by a large number of high-priced listings. Prices typically range from 10 to 1,000 dollars (see Figure 12), but roughly 25% of listings exceed that range. The median price rose from 125 to 500 dollars.

Figure 12. Example of a pricing catalog on a phishing solution vendor's website
Figure 12. Example of a pricing catalog on a phishing solution vendor's website

As noted earlier, expensive listings typically represent turnkey products that are ready for immediate use. These solutions offer attackers a straightforward path from initial deployment to achieving their cybercriminal objectives. Turning to the distribution of offerings on underground forums, we observe the following pattern, which supports this finding.

Figure 13. Offerings or categories associated with PhaaS solutions in underground forum listings, 2024–2025

A broad range of phishing solutions is available. These include tools for bypassing authentication, managing phishing toolkits, and alerting operators, all of which point to the significant maturation of the PhaaS market. Notably, administrative panels represent a key component of PhaaS infrastructure, accounting for 18% of all listings. Operators actively distribute turnkey tools for managing phishing campaigns, including capabilities for credential harvesting, victim monitoring, template management, and attack statistics tracking.

Tools for bypassing two-factor authentication (OTP, 2FA) are also widely available. Listings for one-time code interception tools account for 13% of the market, highlighting the growing specialization of PhaaS developers in evading modern authentication mechanisms. The same trend applies to creators of CAPTCHA and anti-bot bypass tools. Collectively, these observations demonstrate the advancement of the technical capabilities within the PhaaS ecosystem.

Forum listings indicate that attackers are selling not only complete phishing kits but also individual, sophisticated infrastructure components. These include administrative panels, defense evasion tools, specialized attack templates, and automation frameworks. Cybercriminals can either select and combine available modules to build a custom attack stack or opt for turnkey solutions.

The following categories appear most frequently across all listings.

Figure 14. Percentage of listings mentioning each type of solution or platform

The diagram indicates that messaging apps are both the primary attack vector and the main channel for organizing attacks, with 12% of listings related to them. PhaaS operators actively offer tools for conducting attacks via Telegram, Discord, and other platforms where users are less likely to expect phishing and where built-in security protections are weaker. That said, email services and cryptocurrency remain key targets. Successful compromise of email accounts and cryptocurrency wallets enables attackers to quickly siphon funds or proceed to subsequent stages of an attack.

The diagram highlights two dominant focus areas within the PhaaS market:

  1. Finance and cryptocurrency (exchanges, wallets, banks).
  2. User accounts and components of the victim's digital identity (email, payment systems, platforms). The value here lies in the subsequent use of these assets for further attacks or account monetization.

Explicit mentions of AI usage appeared in only a small number of forum listings. However, many posts were observed seeking effective AI solutions or requesting help with AI development.

Figure 15. Listing requesting an AI-based solution
Figure 15. Listing requesting an AI-based solution

AI mentions are seldom used as a marketing tactic. If they are, threat actors avoid disclosing them in public listings to prevent drawing attention from moderators, law enforcement, or competitors.

Based on the analysis of the data, the following conclusions can be drawn:

  • The PhaaS market is large and saturated, with sales dominating. The share of comprehensive solutions, including panels, anti-bot systems, and tools for intercepting OTP and MFA codes, is growing.
  • The median price increased from 125 to 500 dollars. This signals a shift in demand toward comprehensive solutions with high conversion rates.
  • Messaging apps such as Telegram are an integral part of the PhaaS stack. They are frequently mentioned in listings and serve multiple functions: customer support channels for solution users, notification delivery mechanisms, and malware distribution vectors.
  • The frequent mentions of OTP and MFA suggest that the market has adapted, and attackers are now building attack chains around MFA confirmation interception and social engineering.

Given that the market offers turnkey comprehensive solutions featuring administrative panels, anti-bot systems, and MFA bypass capabilities, the defense side must focus on several key areas: link control, browser emulation, detection of not only classic attachments but also QR codes and HTML, correlation of email with IAM events (such as login anomalies, new sessions, suspicious rules, and forwarding), as well as monitoring for leaks or mentions of the company and its brand on underground resources, which serves as an early indicator of attack.

Typical phishing attack scenario

Given the technological advancement of phishing techniques, this attack vector should be understood as a sequence of stages in which the email serves merely as a vehicle for launching the attack and achieving subsequent compromise. This perspective aligns with the MITRE ATT&CK framework, which classifies phishing as an initial access technique.

A simplified representation of a phishing attack is shown below (see Figure 16).

Figure 16. Phishing attack workflow
Figure 16. Phishing attack workflow

Below is a detailed breakdown of the attack chain. The table maps attacker actions to observable artifacts, expected telemetry sources, and corresponding security measures.

StageAttacker actionsTypical artifacts or signalsDetection location or methodSecurity measures
Reconnaissance and preparationCollecting information about the target company, its employees, and communication context. Selecting email content and themeIntelligence on phishing campaign preparation gathered from open sources, attacker-controlled channels, and underground forums. Publicly available phishing email templatesThreat intelligence (TI) analytics, data leaks, open source intelligence (OSINT), user reportsData leak monitoring, employee security awareness training, minimizing disclosure of internal processes and roles
Email deliverySending phishing emails through attacker-controlled infrastructure or compromised legitimate mailboxesLegitimate DKIM and DMARC signatures, plausible conversation threads, but anomalous attachments, suspicious links, or unusual subject linesSEG at SMTP or EML level, anti-spam filters, reputation checks during connection handshakesDeploy email security gateways, enforce domain and IP reputation checks, apply policies for attachment and URL handling
Malicious content concealmentHiding malicious payloads inside attachments or links. Using containers, archives, or HTML filesHTML attachments, archive containers, macro-enabled documents, QR codes, links pointing to malware downloadsAt email gateway: attachment analysis, OCR and QR code recognition. Sandbox as either an integrated or standalone SEG componentPerform dynamic attachment detonation, restrict file types, analyze attachments in an isolated sandbox environment
User involvementManipulating the user into opening an attachment, executing a file, or clicking a linkRedirection chains, temporary domains, geofilters, fake login pagesURL inspection at the email gateway or at click time, browser emulation via a dedicated module or email gateway, sandbox analysisInspect links at click time, use proxy-based protection, enrich incident or malware data with indicators of compromise
Compromise: credential theft or malware executionStealing usernames or passwords via phishing pages, executing malicious files on user devicesAiTM proxy usage, suspicious PowerShell commands, malware payload downloads, execution of unknown processesIAM and SSO logs, EDR solutions, network events, sandbox reportsDeploy phishing-resistant MFA. Control application execution, implement EDR or XDR solutions, revoke active sessions when suspicious activity is detected
Persistence. Post-compromise actionsEstablishing persistence by modifying email rules, OAuth access, launching loaders, installing backdoorsNew email forwarding rules, unauthorized OAuth permissions, suspicious processes and network connectionsCorrelate email logs with IAM, EDR, and network event dataEnforce OAuth controls, block external email forwarding, monitor for anomalous user behavior
Attack expansion and monetizationFurther attack progression: business email compromise (BEC), lateral movement, data exfiltration, or internal phishing emails sent from compromised legitimate accountsPhishing emails originating from legitimate users, unusual attachments, suspicious network connectionsCorrelate email data within SIEM and SOAR platforms. Leverage IAM solutions and endpoint EDR products on endpoint devicesTrain SOC personnel, deploy automated incident response playbooks, implement infrastructure segmentation

Analysis of typical phishing attack scenarios yields the following conclusions:

  • A phishing attack is a multi-stage process that begins well before the email is sent.
  • Compromise increasingly originates from trusted infrastructure. Attackers leverage compromised mailboxes and properly configured DKIM and DMARC to bypass basic email filters, thereby diminishing the effectiveness of reputation-based defenses.
  • Malicious payloads are actively concealed. To evade filtering, attackers employ HTML attachments, archive containers, macro-enabled documents, QR codes, and links to external loaders. This complicates static analysis and makes dynamic attachment inspection essential.
  • User interaction with the email remains the critical juncture of the attack. Even when technical security controls are in place, clicking a link or executing an attachment marks the transition from the delivery phase to the compromise phase.
  • Effective defense demands a multi-layered architecture. No single security tool can block an attack at every stage of its progression. A combination of email gateways, sandbox analysis, link inspection, EDR and XDR solutions, IAM controls, and security event correlation is required.

The key takeaway from this sequence is that modern phishing campaigns often appear legitimate at the email delivery stage, featuring valid conversation threads and proper domain authentication, while the malicious logic only becomes evident later. This occurs during user interaction with a link, within dynamic content, or when sessions are intercepted after MFA has been successfully completed. This explains why AiTM attacks present a systemic challenge even for organizations that have deployed multi-factor authentication. Attackers do not need to break the MFA solution itself; instead, they proxy the session and capture tokens that grant subsequent access without requiring repeated authentication. The Tycoon2FA analysis further notes that access may persist even after a password change if active tokens are not revoked.

Only multi-layered email protection spanning all stages, from initial delivery to potential session compromise, can effectively counter modern phishing attacks. In practice, organizations need to deploy several complementary security layers: perimeter email filtering, attachment and link analysis, dynamic URL inspection, and post-delivery protection mechanisms. Each layer addresses a distinct set of threats while having its own limitations. What is effectively detected at one stage may remain completely invisible to another.

To properly assess the resilience of email infrastructure, it should be viewed not as a single monolithic mechanism but as a collection of functional layers. Each layer covers a specific threat category while also having typical blind spots. The following sections examine which mechanisms actually work, what threats they mitigate, and where their effectiveness ends.

Email security: capabilities of modern solutions and their blind spots

The table below outlines the capabilities, detection methods, and typical blind spots of the most widely used email security systems.

 

Functional layer

 

Protection mechanism

 

Detection capabilities

 

Typical blind spots

SEG at the perimeter (SMTP, EML)Primary SMTP checks, rate limiting for incoming emails, detection of temporal anomalies and unknown or external senders, enforcement of encryption policies during email transmission, protocol deviation detection, email header analysisMass spam, some phishing attempts, obvious anomaliesMalware, static analysis of JavaScript chains without detonation, attacks originating from legitimate (non-malicious) mailboxes
Reputation and threat indicatorsIP address, domain, and URL reputation checks, geolocation tagging. Supports blocklisting and allowlistingDisposable domains, known malicious campaigns, indicators of compromise (IoCs)Temporary infrastructure, trusted services or links pointing to them
Content analysis (NLP, ML)Inspects email attributes such as style, urgency, context, BEC patterns, and role mismatches within the organizationBEC lures and social engineering emails that do not rely on attachmentsHigh-quality text (including AI-generated content), insider context that is not obviously anomalous
URL protectionUnfolds redirect chains, performs dynamic link inspection, and emulates browser behaviorPhishing attacks targeting authentication credentials, redirect chains, client-side JavaScript logicAnti-bot systems, geofilters, QR codes embedded in attachments that are not processed by OCR
Attachment inspection in sandboxDynamically executes attachments and links in an isolated environment, analyzing behavioral indicatorsObfuscated attachments, malware concealed within multi-layered "nesting doll" containersSemantic content of attachments that is designed purely for social engineering
OCR and QR recognitionExtracts QR codes and text from images or documents to enable URL inspectionQR-based phishing in PDFs, images, and documentsUnicode-based or ASCII-based QR codes
Post-delivery actionsQuarantines or removes already delivered emails, analyzes alerts from security toolsZero-day threats, malicious campaigns that are identified after signature or rule updatesZero-day threats, malicious campaigns that are identified after signature or rule updates
Protection against ATO and BECMonitors email forwarding rules, OAuth application permissions, and detects anomalous user behaviorBusiness email compromise (BEC) and account takeover (ATO) following initial compromiseLack of correlation with IAM events, resulting in incomplete incident visibility
Attack simulation and security maturity testing for infrastructure and teamGenerates realistic phishing emails and attack scenarios to validate defenses against specific threatsMisconfigurations in security tools and gaps in security controlsFails to reflect evolving threats without regular updates, as simulations rely on limited threat intelligence

Even the effective operation of multiple security tools is not always sufficient for comprehensive protection. Attackers actively exploit architectural weaknesses in email protocols, leverage dynamic infrastructure, and compromise legitimate accounts to bypass traditional filtering mechanisms.

To better understand these blind spots, several key limitations of existing security controls must be considered:

  • Email authentication is valuable but addresses only a narrow set of threats, primarily domain spoofing. This is consistent with the official DMARC documentation, which states that DMARC is designed to validate senders and define policies for emails that fail SPF or DKIM authentication. While DMARC can detect domain impersonation, it does not prevent password theft or account compromise. Consequently, emails sent from a compromised legitimate mailbox may appear fully legitimate from a protocol authentication standpoint.
  • The focus of protection must shift toward the moment of user interaction with attachments or links, as well as toward handling dynamic content. Static URL inspection is significantly less effective against attackers' temporary infrastructure. Analyzing URLs at the time of user interaction and employing browser emulation for link opening are no longer optional email security features; they have become mandatory components of any effective email defense strategy.
  • QR code, link, and attachment inspection represents a distinct security capability that cannot be fully addressed by an email security system alone. If the security stack lacks QR code recognition or sandbox-based attachment analysis, a blind spot emerges precisely where the PhaaS market is growing and where the primary threat resides.
  • Combating BEC ultimately depends on effective management of user accounts and sessions. Against AiTM attack scenarios, organizations should prioritize controls publicly recommended by regulators and major technology ecosystems. These include phishing-resistant MFA, strengthened access controls for external resources, and prompt revocation of active tokens when compromise is suspected.

Finally, post-delivery quarantine of attachments addresses the challenge of delayed threat intelligence. As previously noted, the observed volume of phishing campaigns may not reflect the full scale of attacks, since some emails are blocked by email systems before they reach users. In practice, this means that security rules and threat intelligence feeds are often updated only after a malicious campaign is already underway. The ability to rapidly remove already delivered emails therefore becomes critical, particularly for reducing the risk of users reopening malicious attachments within the corporate network.

Recommendations

The analysis of phishing campaigns indicates that effective email protection does not rely on any single mechanism but rather on a combination of complementary functional layers. The previous section reviewed the key components of email channel security.

The following step-by-step recommendations outline how to build a robust email security system:

  1. Establish basic perimeter protection, including an email gateway, reputation and threat indicator checks, and domain authentication.

  2. Close two critical gaps in phishing defense: countering malware through sandbox-based attachment analysis and detecting evasion techniques such as QR codes, HTML content, and malicious URLs.

  3. Enhance post-delivery response capabilities to handle threats that are identified after an email has been delivered.

  4. Correlate email security data with IAM events, including anomalous logins, new sessions, newly created email forwarding rules, and suspicious OAuth application permissions.

  5. Deploy security controls that are commensurate with the threat level and that integrate seamlessly with other information security solutions across the infrastructure.

PT Email Security addresses the majority of these steps by covering the most critical phases of the phishing attack chain, including email delivery, attachment and link analysis, and response. This enables organizations to effectively defend against mass phishing campaigns as well as more targeted attacks involving malicious attachments, redirect chains, and QR codes.

Conclusion

Phishing is no longer confined to email. It has transformed into a service-based model that spans multiple channels, involves mobile environments, relies on containerized attachments, and actively employs evasion techniques to bypass security controls. On the attacker side, this evolution is driven by technologies such as QR codes, HTML attachments containing dynamic content, multi-stage attack chains, and nested containers that evade detection by static filters and signature-based tools.

At the same time, the PhaaS market is demonstrating clear economic maturation. Between 2024 and 2025, supply increased, median prices rose, and functional components designed to improve attack conversion rates became widely available. These components include administrative panels, anti-bot systems, messaging app integration frameworks, and modules specifically targeting the interception of MFA codes and one-time passwords.

This means that defenders are no longer dealing with individual malicious emails but rather with service-based delivery pipelines that rapidly adapt to blocking measures and continuously evolve. Beyond social engineering and the PhaaS service model, malware distribution remains a key component of modern email attacks. In many attack scenarios, a phishing email serves not only as a credential theft tool but also as a delivery mechanism for malicious attachments or loaders that initiate a broader compromise chain. Email security strategies must therefore address both social engineering tactics and the risks associated with malware delivery.

The traditional approach of intercepting malicious emails at the perimeter is no longer sufficient as a standalone defense. Successful attacks are increasingly structured around post-delivery event chains. These events may include link clicks, QR code scans, interaction with dynamic content, credential or session compromise, and subsequent malicious actions by the attacker or unwitting user. Consequently, effective protection requires a cohesive security stack. An optimal strategy includes the following components:

  • Dynamic URL inspection at the moment of user interaction.
  • Extraction of QR codes and URLs from attachments, not just from the email body.
  • Post-delivery quarantine capabilities, allowing emails to be placed in quarantine even after initial delivery, combined with rapid token revocation upon detection of AiTM indicators.
  • Deployment of specialized email security solutions, such as PT Email Security.

In the near future, the phishing service model is expected to evolve further and integrate more closely with other segments of the cybercriminal economy. PhaaS platforms will likely automate an increasing number of preparation processes, apply artificial intelligence more extensively to conduct attacks, and offer ready-made scenarios tailored to specific industries, organizations, or events. They will also provide tools for rapid adaptation to defensive measures and blocking mechanisms. At the same time, the ecosystem surrounding these services is likely to expand. This includes integration with access brokers, malware distribution services, MFA bypass infrastructure, and solutions designed to monetize compromised access. These developments will make phishing campaigns broader in scale and more dangerous, further reinforcing the need for comprehensive protection across the entire attack chain rather than focusing solely on inbound email traffic.