Slipping Through the Cracks: How Malicious Emails Evade Detection
2025-10-22 , Europe

Organizations increasingly adopt policies that encourage employees to report emails they perceive as potentially malicious. These user-submitted reports are typically reviewed by the Security Operations Center (SOC), which conducts in-depth analyses to determine appropriate response measures. This approach enhances organizational defenses by integrating human vigilance with expert investigation, thereby complementing existing automated threat detection systems.

This study presents a comprehensive examination of phishing emails reported by users across five organizations over a span of several months. These messages are particularly stealthy since they were able to bypass all the automated checks in place, yet were identified by the employees, and confirmed as malicious by security experts. We extract and characterize the evasion techniques employed in these phishing campaigns and evaluate their level of sophistication. Our findings reveal that while these attacks are generally low in volume, they are highly targeted and carefully orchestrated, demonstrating significant forethought and strategic intent. Notably, these campaigns utilize advanced evasion tactics at the message level—including the use of corrupted QR codes — and cloaking relying on bot detection and browser fingerprinting techniques.

The objective of this work is to deepen our understanding of the phishing landscape while taking into consideration the threats that slip through the cracks of advanced security filters.


This talk will present the evasion techniques extracted from user-reported messages, along with an overview of our analysis infrastructure, CrawlerBox, designed to overcome cloaking tactics that exploit browser fingerprinting and bot detection challenges. CrawlerBox is made available as an open-source tool to assist other researchers in pursuing further studies.

Elyssa Boulila is a security researcher and a PhD student affiliated with Amadeus IT Group and EURECOM. Her research work is related to Phishing and Threat Intelligence.