Since its inception, Perception Point has been scanning billions of emails, URLs and files every week. Most of the time, Perception Point clients already have at least one email security solution in place.

Whether they are using on-premises Exchange and an SEG vendor (such as Proofpoint, Mimecast, Symantec) or the built-in security capabilities of Office365/Gmail Workspace, they all still see phishing and malware reach their end users. In the best case scenario, they get a report by a good employee. But in some cases what triggers the SOC team is an alert coming from the endpoint solution. This means a payload already reached the users’ computer and maybe even opened.

In this article we list a few (not all) of the most-used techniques by hackers to bypass email security solutions.

Problem 1. Login forms hidden inside local web pages

Not able to detect phishing scams and credential theft attempts that use a login page inside a local html page attached to the email instead of hosting the login page online.

Why it’s hard for solutions to detect?

Because there’s no suspicious link inside the email, all engines based on reputation (URL reputation, domain legitimacy and so on) are not valid. Also solutions such as URL rewriting in Office365 will not help.

They don’t need to worry about hosting a phishing site online. They’re not afraid that their site will be shutdown. They just send an html file, and wait for a click, the page is then rendered locally on the victim’s computer, only after the attacker writes his or her credentials in the fake login page, there will be a JavaScript code (usually obfuscated) that will upload this information online straight to the attackers’ hands.

Email Security Solutions

Problem 2. Malware hosted on file-sharing services.

Not able to scan malware hosted on OneDrive, Google Drive and other file-sharing services. 

Why it’s hard for solutions to detect? 

There are a lot of file-sharing services, and most of them offer free packages, giving an attacker a chance to upload his payload for free. File-sharing services work by using link sharing, where essentially they give you a link (coming from their own, good reputation domain).

Then the attacker crafts the email and puts the link inside. The solutions then scan the URL, and there is nothing suspicious inside, usually the link will lead to the legit website, requires user to click on a special “download” button, so the site itself is safe (it’s the sharing service website), but if you download the file, you’re screwed.


Problem 3. Spotting Spear Phishing.

Attackers nowadays will try to trick users into thinking they landed on a well-known internal company portal. If an attacker finds the 3rd-party services a company uses, he or she can easily mimic it and create fake versions of it.

Why it’s hard for solutions to detect?

This is a highly effective technique. Since employees expect to see these email types as internal only, they won’t pay too much attention to signs of phishing.

Some company portals are even reachable from the internet—making hackers’ lives even easier to spoof them. In this example, we can see a fake Okta login page. It contains all visual elements and the company’s logo (and it’s even SSL encrypted), just waiting for the user to enter his or her credentials (an action done several times a day). A large portion of phishing campaigns sent to companies are actually an impersonation of their own brand.

Legacy solutions might be good at detecting the generic kind of phishing, but highly targeted and tailor-made attacks will likely go undercover to user’s mailbox.

Email Security Solutions

Problem 4. Blacklisting email security vendor IP addresses

Hackers are blacklisting email security vendors’ IP addresses. When hackers create phishing websites, either manually or with a prepared Phishing Kit. They are well aware that their target is highly fortified, and they assume email security solutions will scan their website before it will reach the end user. 

Why it’s hard for solutions to detect?

By fingerprinting the different email security solutions, a hacker can understand what the IP addresses are of the email security provider services. Once fingerprinted, they can easily blacklist their IP.


Problem 5. Can’t Detect ATO

No ability to know if dealing with a compromized third-party vendor.

Why it’s hard for solutions to detect?

It is very hard to detect because the email is coming straight from the vendor’s IP and the actual mailbox. The attacker then reads all email communication, waiting for the right time to inject a message where he sees the request for fund transfer. He will usually reply back with a signature that’s identical to the vendor’s and will ask for you to transfer money to other bank accounts.

email security solutions

Email attacks have evolved to bypass traditional defenses. They now require organizations to set up
protection, not only at the gateway, but also beyond it. Every business needs to deploy the right
combination of technology and people to have effective email protection. To make sure your organization stays attack-free, it’s important to find a tool that dynamically scans every single email for all known and unknown threats before being delivered.

At Perception Point, we stop malware, phishing attacks, logical exploits, hardware vulnerabilities, macro-based attacks, ransomware, malware, APTs, spear phishing, and N-day and zero-day attacks.