Elbsides 2025

Phishing attacks are evolving faster than traditional defenses can adapt. Despite significant investments in Secure Email Gateways (SEGs) and email security stacks, phishing remains one of the most effective initial access vectors. This session examines why phishing continues to succeed and introduces a practical, high-impact strategy to strengthen defenses.

SEGs typically rely on a layered architecture that includes header analysis, policy enforcement, static anti virus (AV) signature checks, link reputation services, and even lightweight sandboxing. As SEGs must process high volumes of email with minimal latency, they are optimized for speed and scale rather than for depth of inspection and comprehensive analysis. This can create exploitable detection blind spots. Sophisticated phishing campaigns take advantage of these limitations using tactics such as multi-stage redirect chains, geolocation- or time-based payload activation, QR codes, SVG images, and HTML smuggling

What can be done?

One often overlooked opportunity to address these advanced threats lies in integrating the organization’s User-Reported Phising (URP) program with advanced sandboxing technology. Unlike SEGs, these sandboxes operate outside real-time delivery constraints. They simulate realistic user interaction, follow complex redirect paths, and expose evasive payloads in a save analysis environment. This enables faster triage, higher-confidence verdicts, and improved detection of phishing threats that bypass gateway-level defenses.

This session will include real-world examples of advanced phishing techniques, such as redirect chains, QR code-based attacks, and SVG-based payloads, and show how advanced sandboxing can be used to detect them effectively.