How do phishing emails evade filters?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Phishing emails evade filters through the same basic mechanism: making each message different enough from known bad patterns that no single rule catches everything. The techniques evolve constantly as filters improve.
Content obfuscation is one common approach. Attackers use images instead of text to avoid text-based keyword matching. They add invisible characters between letters in key words. They randomize small elements (punctuation, spacing, phrasing) between messages so that no two are identical, defeating hash-based signature matching. Some use HTML tricks to show one thing to a filter scanner and a different thing to the human recipient.
Infrastructure rotation lets attacks outrun blocklists. If an attacker burns through a domain every 24 hours, blocklist operators are always a step behind. Compromising legitimate websites to host phishing pages is even more effective since those domains already have good reputations. Cloud services (Google Docs links, Dropbox redirects) get used as hop points specifically because filtering legitimate cloud infrastructure creates too many false positives.
Targeting changes the calculus too. Mass phishing sends to millions of addresses and relies on small percentages clicking. Spear phishing sends highly targeted messages to specific individuals, often with personal details, and expects higher success rates from smaller sends. The smaller volume is harder to detect through pattern matching.
The timing manipulation technique that doesn't get enough attention: sending a benign email first to establish legitimate sender behavior with a domain, then later sending the actual attack from the same domain after reputation is established.
For legitimate senders, this is relevant because attackers often impersonate established brands. Strong DMARC enforcement is the best protection against your domain being used for phishing. Without it, attackers can send email appearing to come from your domain, and your customers can't tell the difference.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.