How to Catch Phishers: An Overview of Technical Tools for Protecting Mail Traffic

Despite the ongoing battle against phishing attacks, their number continues to increase: in 2024, the growth was 33% compared to 2023 and 72% compared to 2022. Most often, attackers target organizations via email, since this channel has long been used by companies as the primary means of communication between employees, clients, and partners. Last year, these incidents accounted for 84%. So when we in information security talk about protection against phishing, we primarily mean the ability to detect threats in email traffic.

I'm Fyodor Grishaev, and at Positive Technologies I research cyber threats. I’ve prepared an overview of technical tools that can help repel modern phishing attacks—or reduce the risks if attackers have already made their way into the company. I broke down how these technologies work and the scenarios for using them. As you can guess, this article focuses on email traffic.

But first—a few words about why the article is relevant. Solutions for phishing protection have been written and talked about many times in our industry, but as our experience shows, the topic remains at peak popularity. More and more attackers are betting on the human factor during their attacks, and people are far from always able to recognize phishing emails. We train them, but the bad guys have already embraced artificial intelligence: combined with OSINT, content becomes impressively personalized. To land their messages perfectly, cybercriminals keep searching for ways to bypass the defenses organizations use—and that’s the main challenge for 2025. Our task is to close all the workarounds. When preparing this overview, I relied on phishing attack trends and my own experience to create a genuinely current selection.

Shield from bad emails

Let’s start with secure email gateway (SEG) solutions: they filter mail traffic, letting safe emails through and blocking messages that could potentially harm the system. Typically, SEG is installed at the edge of incoming infrastructure data. There are no strict technical requirements for the specific point between the boundary and the mail server where the gateway should be placed. Let’s break down how the solution detects phishing.

SMTP dialog

A SEG may contain a standalone mail transfer agent (mail transfer agent, MTA) or essentially act as one. In the latter case, the system independently filters SMTP connections with primary checks that screen out suspicious traffic before more complex tests. The analysis may include:

• check for static lists and regular expressions for HELO/EHLO, MAIL FROM, RCPT TO headers;

• greylisting and rate-limiting;

• mandatory use of TLS protocol (TLS Mandatory);

• check for PTR record on incoming IP address.

EML Headers

Message transmission in the SMTP dialogue occurs through the DATA header in EML format. This is because each subsequent node does not convert the message into a specific format but edits simple text (plain text), adding its metadata and sometimes altering the body of the message. Thus, one of the checks in SEG is looking for RFC violations in the EML format. These include:

• absence of mandatory or important headers, which may indicate the use of custom scripts for sending messages;

• duplication of unique headers — also possible with custom programs, and it may also indicate attempts to bypass protection mechanisms, for example, when exploiting known vulnerabilities;

• checking header values, which allows detecting signs of manual modification and determining the level of danger of violations;

• checking results of message processing by other protection tools (special attention is given to non-standard headers starting with X, such as X-Spam-Status and X-Virus-Status).

Network Assets

Emails contain many references to network assets in their headers and body: hostnames, mail, and IP addresses. For example, SEG can work with a static blacklist and check if the IP addresses of the sources of the SMTP connection attempting to send emails are in it. The gateway can also use external reputation lists and open data on attacks detected by third-party researchers. Often, attackers do not send messages directly but through intermediary mail nodes that support forwarding from any sources and domains. In this case, headers may be used to check against external lists, databases, and threat data streams:

• Received — stores the route of the message;

• X-Originating-IP — remembers the IP address of the client that sent the message via a web mail client.

Similar checks can be made with domains and mail addresses. Useful identifiers for analysis would include:

• from sender headers (From, Sender);

• DKIM signatures (found in the d= key);

• Return-Path (in most cases, it contains the value passed during the SMTP dialogue);

• URL links in the body of the message.

SEG may have useful functionality to enrich network asset information with additional data. For example, IP addresses can be supplemented with information about the autonomous system number and country, while the domain can have information about the registrar and owner. This will first allow analysts to make a more precise decision when manually analyzing emails, and second, help configure filtering rules according to internal information security policies.

Message Content

Here, the following checks can be included:

• determining the emotional tone of the text: for example, by analyzing sets of keywords and their combinations, you can detect signs of persuasion;

• evaluating the similarity of a message to templates of known spam and malicious emails;

• checking the body and technical headers of the email for compliance with the MIME standard: if there are no violations, the text and HTML parts are displayed correctly and attachments are attached properly;

• searching for URLs: they may be found in the body of an email or in clickable elements in the HTML part;

• graphic parsing of the HTML part and attachments: this helps to recognize text and identify encoded elements such as QR codes.

Malicious Link Detector

Now, let’s dive deeper into URL anti-phishing tools. Such a solution can work autonomously or be part of a SEG. By the way, link-checking techniques are suitable for other social engineering channels, too.

Conceptually, URL anti-phishing capabilities can be divided into three groups depending on how comprehensively the scenarios are covered.

Static Checks

This refers to making decisions without following the link. It's key to accurately extract the address from the email body without missing any components and to identify the main segments. Attackers often hide the URL of a malicious page using legitimate public services that support open redirection. Anti-phishing should not only find FQDNs, but also detect redirection.

Similar to network assets in emails, domains and IP addresses of URLs can be checked against static and external reputation lists, as well as in threat intelligence feeds.

In addition, URL anti-phishing can look for suspicious patterns in links: dashes in domains, IP addresses instead of domains, and other simple signals. For example, security tools SZIs cannot detect DGA-domains, so we simplified the criteria to flag excessively long names and deep nesting.

Dynamic Analysis

This is the next step that allows content retrieval from the link. By executing a GET request, the tool can:

• obtain file payloads, thereby detecting malware;

• process web server responses to following links and retrieve redirect chains.

A significant drawback of this approach is the lack of rendering active content in HTML pages. Attackers frequently use this to counteract automated and manual web content analysis.

Dynamic Analysis with Browser Emulator

--- Sponsor Looking for ways to automatically analyze text and email content? [Soku AI](https://pollinations.ai/redirect-nexad/5SauYH8N?user_id=25263117) is the world's first fully autonomous Facebook/Meta advertising AI agent that replaces expensive media buyers with expert-level automation. Trained by 100+ Facebook advertising specialists and Meta team members, it understands complex patterns. Just like Soku AI can analyze advertising data, similar techniques can be applied to your needs for analyzing text and email content.

A logical solution is to embed a URL-antiphishing web browser and pass it the links for verification. This way, we won’t have to struggle with JavaScript code deobfuscation, handling redirects and pauses inside it. That means we have a better chance of getting the actual content being sent to the user. But there can still be a miss here, since attackers use different anti-analysis tools. One of them—of course—is CAPTCHA.

Traps for Malware

Under no circumstances should file-based threats be forgotten: mail traffic is a breeding ground for malicious software. The simplest protection approach is to set up filters to block incoming messages with attachments of various formats. But that’s hardly “expert” and easy enough to bypass. Besides, malicious files are not always present in emails in plain sight—they’d be discovered immediately. Usually, attackers provide a direct link to download the malware or to a file-sharing site. The most common case is sending archives (nested, split, password-protected).

Dynamic Analysis in the Sandbox

In advanced infrastructures, mail protection integrates tools for dynamic analysis of files and links—sandboxes. These help identify unknown, complex, and stealthy malware by testing suspicious documents and URLs in an isolated virtual environment that mimics the company’s infrastructure. In such conditions, malware thinks it’s in a real system and begins to act. The sandbox detects the threat and reports it to the traffic filtering solution or blocks the malware from entering the organization’s perimeter—depending on product placement and implemented attack prevention features.

For example, an SEG, as a traffic filtering system, can’t hold an open session with a sender of a suspicious email for long while waiting for the sandbox’s verdict. Often, companies won’t risk delaying incoming email, so the sandbox lands on a data copy. In this scenario, it defaults to detection mode, but blocking can still be handled separately. Additional processes are implemented to send warning emails and remove dangerous messages from recipient folders, isolating users from malicious content.

What if we add an MTA with its own quarantine and message logs to the sandbox? At Positive Technologies, we decided to do just that: we are developing our own SEG-class product—PT Email Gateway—which will be integrated into PT Sandbox as a secure mail relay agent. Such a system can be deployed inline with email traffic to prevent the delivery of malicious emails. Add URL-antiphishing capability (already implemented in the product) and you get a unified solution with a single interface built on PT Email Gateway and PT Sandbox, covering all attack vectors via email. We’ll demonstrate its MVP at the end of the year at Positive Security Day.

Simulating Email Attacks

And it’s not a bad idea to integrate rules for blocking modern attacker techniques into the perimeter protection solution. Specialized email attack simulation tools, such as PT Knockin, can help you collect up-to-date samples and launch them in your infrastructure.

My colleagues investigate real security incidents and methods of hiding malicious software in email. Based on this expertise, they create phishing email samples that imitate malicious techniques. These messages can be sent to corporate mailboxes to check how protection tools handle threat detection and analysis, as well as searching for the malicious payload. Even if the security software can’t extract embedded archives or properly process invisible characters in URL links, you can configure rules for detecting phishing techniques.

Monitoring Fake Brands

Illegal web resources of an organization discovered in incoming traffic indicate phishing attacks targeting that company only. However, the same content can be used against contractors, partners, clients, and other firms. To protect the company’s reputation and business honor, you can use digital risk protection (DRP) solutions. They can monitor for sensitive data leaks, detect illegal use of company trademarks in trading and information distribution, and track calls for attacks and other actions.

Let’s focus only on the anti-phishing module within DRP systems. It differs from similar email traffic monitoring systems. Any network asset stream of interest (domains or URLs) can serve as a data source for a DRP module. To quickly respond to suspicious addresses appearing online, the module should have access to the list of newly published and updated domains. This information is gathered and stored by registrars and zone owners, but not all of them are willing to share it. If direct cooperation isn’t possible, you can connect to data aggregators.

Another source is information on issued SSL certificates, specifically the domain names they protect. You can get the list by analyzing logs of certification authorities supporting the Certificate Transparency Community initiative. These authorities publish logs containing all issued SSL/TLS certificates.

The list of obtained addresses needs to be regularly compared to the company's actual domain. There are two well-known techniques for doing this:

• Check domain names for textual similarity using Levenshtein distance. If the result is zero, the strings are identical. Any difference reflects the number of changes needed to convert one domain to the other.

• Generate many potential squatting domains based on the real address. You can get creative—swap, delete, or change characters. Use this generated list to look for similar domains among newly published and updated names.

These approaches do not guarantee 100% detection of phishing domains, but they help filter addresses well for deeper analysis. A legitimate domain profile can be created: gather hostnames, DNS data, WHOIS or RDAP information, registrar details. On the root site, look for logos, icons, contacts, social media—everything that might be of interest. Do the same for the domain being analyzed. Then compare. If there are many matches, the system will alert you to phishing.

What to do next if the border solutions of these attacks are not detected and cannot be blocked? Most territorial domain zones support rules prohibiting the publication of illegitimate content. If the owner refuses to delegitimize the domain upon request, you can contact the hosting provider and try to block the content of the resource.

Phishing Watch

Finally, I'll briefly talk about solutions to counter phishing in cases where the user has already clicked on a link or opened a file.

Data leak prevention

• It profiles users: it is possible to identify behavior patterns of each client of the protected domain. The appearance of unusual traits will indicate a possible account compromise.

• It detects atypical parts and headers of outgoing emails and checks them for data theft. Sometimes, attackers use hacked accounts for data exfiltration.

Web Proxy

• It searches for signs of phishing in web page content before it is displayed to the user.

• It categorizes web resources based on their content and checks links against the categorizer's database. You can also download data about malicious domains without a web categorizer—via static blacklists and third-party cyber threat databases.

• It restricts access to resources for information exchange: email, social media, messengers, etc.

• It allows retrospective analysis of user interactions with web resources to find the cause of an incident or discover other hidden attacks.

Multi-factor Authentication

• It protects against using accounts in illegitimate scenarios.

• It records multiple and periodic failed authentication attempts.

• It limits the use of a compromised account to gain access to internal and external IT systems.

---

Here’s the overview. Check out the PT ESC TI blog and ESCalator Telegram channel. There, we discuss the latest threats, explore interesting techniques, and tools used by cybercriminals.