Organizations increasingly adopt policies that encourage employees to report emails they perceive as potentially malicious. These user-submitted reports are typically reviewed by the Security Operations Center (SOC), which conducts in-depth analyses to determine appropriate response measures. This approach enhances organizational defenses by integrating human vigilance with expert investigation, thereby complementing existing automated threat detection systems.

This study presents a comprehensive examination of phishing emails reported by users across five organizations over a span of several months. These messages are particularly stealthy since they were able to bypass all the automated checks in place, yet were identified by the employees, and confirmed as malicious by security experts. We extract and characterize the evasion techniques employed in these phishing campaigns and evaluate their level of sophistication. Our findings reveal that while these attacks are generally low in volume, they are highly targeted and carefully orchestrated, demonstrating significant forethought and strategic intent. Notably, these campaigns utilize advanced evasion tactics at the message level—including the use of corrupted QR codes — and cloaking relying on bot detection and browser fingerprinting techniques.

The objective of this work is to deepen our understanding of the phishing landscape while taking into consideration the threats that slip through the cracks of advanced security filters.