The newly-deployed tactics are either improvisations of existing evasion methods such as typo-squatting, or new approaches to foil AI detection

In analyzing telemetry from thousands of phishing emails blocked by its own systems in January 2023, one cybersecurity firm has identified three novel tactics being used to defy security teams and net unsuspecting victims.

The first new tactic involves hackers masking the URL of their phishing webpage with a link generated by Google Translate instead. This involves attackers submitting poorly-formed HTML or a non-supported language to the translation engine to get it to generate an error page containing a coded link back to the malicious spoof webpage. The tactic works better on mobile users, as desktop users can hover their mouse cursor over a URL to see if a link is suspect.

The second tactic comprised malicious emails that contain no text but just images, which can be fake forms such as invoices, which tend to include a link or a call-back phone number that, when followed up, leads to phishing attempts. As these attacks do not include any text, traditional email security can struggle to detect them.

Finally, the last new tactic involves using improvising on existing ‘typo-squatting’ Unicode characters to evade detection. They can be inserted into a malicious URL embedded in a phishing email, breaking the URL pattern so that security technologies do not detect it as malicious. Detection of such attacks can also be difficult because there are legitimate purposes for the use of special characters, such as within email signatures.

According to Mark Lukie, Director of Solution Architects (APAC), Barracuda, which disclosed the phishing trends, organizations need to use AI-enhanced email protection that can be trained and updated to spot such well-disguised attacks. “You also need to train employees to understand, identify and report suspicious messages, plus tools that quickly identify and remove any traces of a malicious email from user inboxes and compromised accounts if a malicious email managed to break through,” he said.