publishing date icon
November 5, 2021
read time icon
5 min. read

4 ways how hackers bypass email filters

Email filters are sworn enemies of both email marketers and malicious actors alike. When managing large phishing email campaigns, it’s vital for the bad actor to take email filters into account because the odds of someone falling for a phishing attack that’s been filtered into their junk folder is minimal.

Author image
Jon Gellin
Junior Threat Analyst
facebook iconLinkedin iconTwitter icon
Post hero image

Email filters are sworn enemies of both email marketers and malicious actors alike. When managing large phishing email campaigns, it’s vital for the bad actor to take email filters into account because the odds of someone falling for a phishing attack that’s been filtered into their junk folder is minimal.

As email marketers have faced this issue since the dawn of platform marketing tools, the internet is filled with a wide array of industry tips and tricks on how to sneak past those pesky filters. This is valuable, free intel for malicious actors.

Some common tips include:

  • Avoiding words and phrases associated with scams
  • Avoiding excessive use of capital letters and exclamation points
  • Maintaining a text-to-image ratio of 80:20
  • Using trusted domains; that plays a huge part in reaching the recipients’ inboxes

Malicious actors often must take things a step further, since the malicious content they are trying to push to their victims often raises huge red flags if spotted by email filters.

1. White text

In this example, the malicious actor has added some additional white font text to the body of the email, hiding it from the reader. The text is only exposed when it is highlighted. Computers, however, have no issue reading the text, which contains phrases copied from a children’s book published in 1921 that ultimately make spam filters less likely to treat the email as junk.

This technique is an older one, and many spam filters today are aware of it, and will treat white text on a white background as especially suspicious activity.

2. Phantom newsletter

Another quite commonly used technique is including a newsletter or some filler text far below the email body. This technique is quite efficient at raising the overall trustworthiness of an email in the eyes of a spam filter. And as an added benefit, the links might contain many trusted domains, further helping bypass filters.

In this example, malicious actors impersonate a large European financial services group to lure the victim into filling in their banking information to read a secured message from their bank.

3. Obfuscation

Spam filters use keyword matching to rule out the most common types of phishing attacks. Below is an example of a very common phishing attack, where the recipient is lead to believe their password is expiring and should therefore be changed.

The link usually says “Keep same password” but as that is an easy phrase for the spam filters to recognize, the malicious actor has tried to obfuscate it by adding special characters between the letters. The goal is to add lines of code between the letters that are visible to the spam filters but not to the human recipient. The malicious actor here has however failed miserably.

4. Bloating

In the next example threat, the attacker impersonates a Binance employee. Binance is a widely used legitimate cryptocurrency exchange. The email originates from a domain bought specifically for the campaign, very closely resembling the real domain used by Binance. With a mix of impersonation, urgency, and a good story it might lure an unsuspecting victim to give up their credentials and other personal information. As the cryptocurrency market is known to be extremely volatile, urgency is very efficient here.

This threat uses a rare technique called content bloating, in which the email body is bloated with large amounts of unnecessary content and might lead to email filters having a hard time to find similarities or giving up before being able to analyze the relevant content.

Hoxhunt response

Our Threat Analysis Team examines tens of thousands of reported phishing emails, including ones like these, a week–and have captured tens of millions of threats to date. Working together with our powerful machine learning model, they cluster the threats, rate them, and incorporate the nasty ones into our training simulations in real time to ensure our training stays at the cutting edge of the constantly-evolving threat landscape. Hoxhunt users are thus drilled on spotting and reporting the latest actual threats making the rounds, removing potentially catastrophic threats from your system with every push of the Hoxhunt reporting button. Read more to learn how to equip your employees with the awareness training that will protect your company from phishing scams.

Subscribe to our newsletter