Dive into the evolution of phishing and malware evasion techniques and understand how attackers are using increasingly sophisticated methods to bypass security measures.
“I really like the saying that ‘This is out of scope’ said no hacker ever. Whether it’s tricks, techniques or technologies, hackers will do anything to evade detection and make sure their attack is successful,” says Etay Maor, Chief Security Strategist at Cato Networks and member of Cato CTRL. Phishing attacks have transformed significantly over the years. 15-20 years ago, simple phishing sites were sufficient for capturing the crown jewels of the time – credit card details. Today, attacks and defense methods have become much more sophisticated, as we’ll detail below.
“This is also the time where the “cat-and-mouse” attack-defense game began,” says Tal Darsan, Security Manager and member of Cato CTRL. At the time, a major defense technique against credit card phishing sites involved flooding them with large volumes of numbers, in hopes of overwhelming them so they couldn’t identify the real credit card details.
But threat actors adapted by validating data using methods like the Luhn algorithm to verify real credit cards, checking issuer information via Bank Identification Numbers (BIN), and performing micro-donations to test if the card was active.
Here’s an example of how attackers validated credit card numbers inputted to phishing sites:
As phishing grew more advanced, attackers added anti-research techniques to prevent security analysts from studying and shutting down their operations. Common strategies included IP blocking after one-time access to create a false pretense that the phishing site was shut down, and detecting proxy servers, as researchers often use proxies when investigating.
The attacker code for one-time IP address access:
The attacker code for proxy identification:
Attackers have also been randomizing folder structures in their URLs during the past decades, deterring researchers from tracking phishing sites based on common directory names used in phishing kits. This can be seen in the image below:
Another way to evade security controls in the past was to modify malware signatures with crypting services. This made it undetectable by signature-based antivirus systems. Here’s an example of such a service that was once very popular:
Let’s move on to other modern evasion techniques. First, a phishing attack that targets victims by gathering detailed device information—such as Windows version, IP address, and antivirus software—so attackers can better impersonate the victim’s device.
This data helps them bypass security checks, like device ID verification, which organizations, like banks, use to confirm legitimate logins. By replicating the victim’s device environment (e.g., Windows version, media player details, hardware specs), attackers can avoid suspicion when logging in from different locations or devices.
Some dark web services even provide pre-configured virtual machines that mirror the victim’s device profile (see image below), adding an extra layer of anonymity for attackers and enabling safer access to compromised accounts. This demonstrates how data science and customization have become integral to criminal operations.
Another case is when defenders faced a gang using malware to exploit live bank sessions, waiting for victims to log in before swiftly performing unauthorized transactions. The challenge was that these actions appeared to come from the victim’s own authenticated session, making detection difficult.
This resulted in a cat-and-mouse game between attackers and defenders:
This illustrates the complexity of detecting sophisticated, automated banking fraud amidst legitimate transactions.
Now let’s move on to more recent attacks. One of the most prominent attacks analyzed by Cato CTRL included a clever phishing attack designed to mimic Microsoft support. The incident began with a 403 error message that directed the user to a page claiming to be “Microsoft support”, complete with prompts to “get the right help and support.” The page presented options for “Home” or “Business” support, but regardless of which option was chosen, it redirected the user to a convincing Office 365 login page.
This fake login page was crafted as part of a social engineering scheme to trick users into entering their Microsoft credentials. The attack leveraged psychological triggers, such as mimicking error messages and support prompts, to build credibility and exploit the user’s trust in Microsoft’s brand. This was a sophisticated phishing attempt, focusing on social engineering rather than relying solely on advanced evasion techniques.
In this next analysis, Cato CTRL investigated a phishing attack that employed complex redirection techniques to evade detection. The process began with a deceptive initial link, disguised as a popular search engine in China, which redirected through multiple URLs (using HTTP status codes like 402 and 301) before eventually landing on a phishing page hosted on a decentralized web (IPFS) link. This multi-step redirection sequence complicates tracking and logging, making it harder for cybersecurity researchers to trace the true origin of the phishing page.
As the investigation continued, the Cato CTRL researcher encountered multiple evasion techniques embedded within the phishing site’s code. For example, the phishing page included Base64-encoded JavaScript that blocked keyboard interactions, effectively disabling the researcher’s ability to access or analyze the code directly. Additional obfuscation tactics included breakpoints in the developer tools, which forced redirection to the legitimate Microsoft homepage to hinder further inspection.
By disabling these breakpoints in Chrome’s developer tools, the researcher eventually bypassed these barriers, allowing full access to the phishing site’s source code. This tactic highlights the sophisticated, layered defenses attackers implement to thwart analysis and delay detection, leveraging anti-sandboxing, JavaScript obfuscation and redirection chains.
Attackers are constantly adapting their own defense techniques to avoid detection. Researchers have relied on static elements, such as image resources and icons, to identify phishing pages. For instance, phishing sites targeting Microsoft 365 often replicate official logos and icons without altering names or metadata, making them easier to spot. Initially, this consistency gave defenders a reliable detection method.
However, threat actors have adapted by randomizing almost every element of their phishing pages.
To evade detection, attackers now:
Despite these techniques, defenders have found new ways to bypass these evasions, although it’s an ongoing game of adaptation between attackers and researchers.
The masterclass reveals many more malware and phishing attacks and how they evade traditional measures, including:
How can defenders gain the upper hand in this ongoing cat-and-mouse game? Here are a few strategies:
Watch the entire masterclass here.
