In Q3 2024 alone, over 932,000 phishing attacks (source Anti-Phishing Working Group), were reported—a significant increase from the previous quarter. It's a stark reminder that attackers are evolving faster than traditional security solutions can keep up.
I was fascinated by our latest blog from Kalpesh Mantri, where he breaks down a phishing attack so evasive that it bypassed multiple security layers before reaching the inbox. Instead of diving into the technical details, I want to highlight just how much effort bad actors now put into evasion—and why today’s detection models are failing.
Using a Less-Scrutinized File Format to Sneak Past Security
In Kalpesh’s post, he describes how attackers hid their phishing link inside an SVG file—a vector image format typically used for graphics, logos, and UI elements. Unlike PDFs or Office docs, SVG files are not deeply scrutinized for threats, making them the perfect smokescreen.
Why This Works: Traditional email security solutions focus on scanning attachments known to be risky, (ex: Scripts, HTMLs). Attackers simply shift to formats that aren’t closely monitored.
Real-World Impact: If a security tool isn’t understanding the purpose and meaning (the intent) of an email (not just scanning for payloads), it completely misses this attack.
Phishing that Adapts to Who Clicks
This attack doesn’t just send victims to a generic phishing page—it adapts based on who clicks.
When a real user opens the SVG attachment and clicks the embedded link, they aren’t immediately redirected to a phishing site. Instead, the attacker first verifies they’ve caught a human by using a legitimate Cloudflare Captcha. Only after passing the Captcha are victims sent to a convincing Microsoft login page—built using a phishing kit designed to steal credentials.
But if the attacker suspects the link is being analyzed—say, by a security researcher or an automated sandbox—the behavior changes.
Why This Works: Security teams often rely on automated threat analysis tools that detonate links and monitor results. This phishing campaign actively deceived those tools by showing them a different, harmless page—tricking traditional threat detection into thinking the link was safe.
Real-World Impact: A CISO looking at threat reports might never even see this attack, because their security stack classified it as benign.
Anti-Debugging Tactics to Hide from Security Teams
One of the most surprising parts of this attack was how it actively countered security research.
If a security researcher or sandbox was analyzing the phishing site with debugging tools running, the victim was instead redirected to Rakuten, a legitimate shopping site.
Why This Works: This technique wastes the time of security teams and stops automated reverse engineering in its tracks. Attackers know that if they can delay detection for even a few hours, their phishing campaigns will already have done their damage.
Real-World Impact: This isn’t just about bypassing software—it’s about bypassing human defenders too.
Why Traditional Security Fails Against These Attacks
Traditional email security solutions—both Generation 1 (Secure Email Gateways) and Generation 2 (cloud-native solutions)—use pre-gen AI techniques like signature-based detection, sandboxing, and machine learning/deep learning to analyze threats. The problem? These methods rely on examining malicious payloads, which are often hidden or manipulated through evasion techniques—just like in this attack.
As we see here:
- The file format was less scrutinized, making it an effective delivery mechanism.
- The phishing dynamically adapted—ensuring only real users saw the attack.
- The attack actively deceived security tools, evading detection and analysis.
This is why we built InceptionCyber with Intent-Based AI Threat Detection. We focus on analyzing the meaning and purpose of an email—not just chasing down links and attachments.
Because attackers aren’t slowing down—and neither should we.
For all the details, read the full technical breakdown by Kalpesh.
Inception Cyber is transforming threat protection with Intent AI. Our NACETM platform employs patent-pending advanced semantic and thematic analysis to comprehend intent, and leverages the contextual relationships between intent, SMTP headers, and auxiliary features to classify URLs and attachments as malicious or benign. This advancement moves far beyond traditional reliance on malicious indicators generated by threat actors or AI, to stop the evasive threats that other technologies simply can’t identify.
