How does phishing bypass email filters?

How does phishing bypass email filters

According to IBM, phishing still lies at the root of 14% of all data breaches, making it the 4th most used attack vector. With the average data breach costing as much as $3.86 billion, you can’t avoid leaving any avenue unchecked. Even tech giants such as Facebook and Google have fallen victim to multi-million dollar phishing scams. Although many security solutions have built-in phishing detection and prevention tools, attackers are continuously discovering new techniques for phishing filter evasion.

Addressing any potential security holes you might have starts with knowing what to look out for. With that in mind, here are some of the common methods used to bypass email filters.

Malicious links in document attachments

Attaching malicious files to emails is a low-effort attack vector in phishing attacks. Email filtering tools at all levels of sophistication check email attachments for potential malware-carrying files.

Particularly in an organization or business-context, sharing documents in office formats, such as .docx, .xlsx, .pptx is almost unavoidable. These files usually consist of a number of XML files that describe the content, formatting, etc.


Increase your organization’s security through our phishing attack simulation. Our team will conduct an in-depth analysis of your company email system (encryption, filters, protocols, etc.).


Most attachment scanning tools check the related xml.rels file for suspicious external links. However, if attackers manage to place links in the documents, but remove them from the xml.rels file, they can often slip under the radar.

Embedded HTML images

Depending on the situation, attackers can spend a significant amount of time scoping out potential victims for weaknesses.

One commonly used method to get information on the targeted server’s configuration and filtering tools is by embedding HTML images in phishing emails. The images are hosted on a malicious server that, when requested by the email application, can analyze the GET request to confirm whether or not the targeted email server allows external communication.

This vector has a simple solution: block embedded images from being rendered. Of course, this will also break images in trusted emails which could lead to lost information or impact the user experience. However, that’s a relatively small price to pay to deter attacks.

Obfuscating suspicious language or links

Most spam or phishing filtering tools use keyword detection to filter potentially malicious content. These can be common spam words like “sex,” “free cash,” etc. Subject lines or content may also contain aggressive, provocative, or alarming language in order to force user attention.

Email filters have become very proficient at detecting these danger signs. In a business context, filters can be even stricter to target any emails that appear non-work related.

To get around these measures, some actors resort to sending spam emails in foreign languages. Or, use methods that hide text to avoid the recipient’s suspicion and to confuse security systems.

Similarly, emails with Bitcoin or other crypto address links are also commonly filtered as these are often provided when extorting ransomware victims for money. There are numerous ways to obfuscate suspicious links, such as using a URL-shortener, splitting links into multiple parts, etc.

Typical off-the-shelf consumer-grade email filtering tools might not be sophisticated enough to unravel these techniques.

Sophisticated spoofing

Despite being one of the more common and easy to detect methods of trying to fool unwary recipients, spoofing still causes hundreds of millions of dollars in damage each year.
That being said, even relatively simple spam filtering tools are adept at spotting and isolating obvious spoofing attempts, such as changing a domain (e.g. “”) to “”

However, attackers are now using more advanced spoofing techniques, allowing them to completely DNS spoofing or IP hijacking to actually use the domain of a legitimate service. It can also reroute traffic to the legitimate DNS to malicious servers.

Email security protocols such as SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting and Conformance) can be used to harden your own spoofing detection as well as to prevent your DNS from being used in spoofing attempts – a practice that can also cost your business and harm your reputation.

Additional steps to defend against phishing attacks

The more sophisticated and advanced your email filtering solution, the more likely it is to catch these attempts. However, you might also need to shore up your email security further by implementing other protocols, such as SPF, DKIM, and DMARC.

To cover the maximum number of attack vectors, you may also want to implement the following countermeasures, although they all come with operational considerations:

  • Whitelist only trusted domains
  • Block email from newly registered domains
  • Phishing awareness and training
  • Invest in enterprise-grade endpoint security