Phishing Detection Evasion Techniques

A collection of phishing techniques used to evade detection.

About this resource

This database is a collection of modern phishing detection evasion techniques, breaking down the methods that attackers are using at different stages of a phishing attack culminating in account takeover (i.e. stealing sessions, credentials, etc.). Each stage groups the techniques observed against a phase of activity that is designed to overcome a layer of security control — for example, the identification and blocking of malicious URLs, or analysing pages for malicious content.

Techniques Matrix

Click on any cell in the table below to learn more about specific phishing techniques:

Targeting	Link Delivery	Link Camouflage	TI Evasion	Anti-Analysis	Page Obfuscation	Defeat MFA & CA	Account Takeover
Apps with weak security configs	Email from legitimate app/service	Email from legitimate app/service	Trusted website hosting	Domain rotation, redirection, and load balancing	DOM obfuscation	Attacker-in-the-Middle (AiTM) phishing	Session theft
SaaS admins	In-app phishing	Trusted website hosting	Mass domain registration	Bot protection	Page obfuscation	MFA downgrade	Credential theft
Identity provider accounts	Malvertising & SEO poisoning	URL obfuscation	Domain rotation, redirection, and load balancing	Legitimate OIDC logins	Visual obfuscation	Device code phishing	Device code phishing
Granular user/domain targeting	Instant messenger (IM)		Rentable subdomains	Delayed execution	Code obfuscation	Consent phishing	Consent phishing
	Social media		Local webpage	Single-use links	Desktop control & streaming	Verification phishing	Verification phishing
	SMS			Conditional loading	Cross-domain iframes	App-specific password phishing	App-specific password phishing
	AI/LLM poisoning			Anti-sandbox		Abuse mobile user agent exceptions
	QR codes			Cross-domain iframes
	Email attachment

Get involved

This is naturally a work in progress and we plan to add and update techniques where relevant, as attacks evolve. If you'd like to contribute, you can find the matrix here.

You might also like...

We previously released the SaaS Attacks matrix, a MITRE-inspired resource for red and blue teams helping them to move away from endpoint-centric thinking when it comes to running attack simulation exercises and testing security defenses.