Phishing isn’t dead, but relying on email alone doesn't cut it anymore.

Spam filters are smarter than ever. Domain reputation matters. Content is scanned and scored. Automated tools scan domains as soon as they request a TLS certificate. Most phishing emails never even make it to the inbox due to automated scanners. And when they do, users are trained to be suspicious.

In this workshop, we’ll start by looking at email, which is still the most common channel for phishing. You’ll see the increasingly ridiculous hoops attackers have to jump through just to get a single message into a user’s inbox. From domain aging and sender reputation to anti bot detection, client-side obfuscation and spam filter scoring. It’s a game of constant trial and error. We will then focus on other ways to deliver your messages through alternative, unfiltered, channels such as Microsoft Teams, QR codes, SMS, LinkedIn or shared documents.

Participants will work with real-world personas to build convincing pretexts using OSINT, and then decide how they would deliver their phishing message. If email looks too risky or unlikely to succeed, you’ll explore alternative channels like Teams, SMS, LinkedIn, or even QR codes. The goal is to think like an attacker, adapt to defenses, and figure out how the message gets through.

Key Takeaways:
- Understand why phishing via email is harder than ever and what modern filters look for
- Learn the steps attackers take to bypass spam detection and deliver a single message
- Use open source intelligence to craft realistic, targeted phishing pretexts
- Explore the importance of timing, trust signals, and context in social engineering
- Compare multiple delivery channels beyond email and assess their trade-offs
- Think like an attacker when planning phishing campaigns, and identify where defenses can fail
- Gain practical insight into how phishing simulations can be made more realistic and impactful