Here\u2019s how attackers are getting around phishing defenses | CyberScoop<\/title> <meta name=\"description\" content=\"Data from Egress looks at how hackers are successfully evading email security filters.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/email-natural-language-obfuscation-phishing-egress\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Here\u2019s how attackers are getting around phishing defenses\"> <meta property=\"og:description\" content=\"Data from Egress looks at how hackers are successfully evading email security filters.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/email-natural-language-obfuscation-phishing-egress\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2024-10-16T14:36:48+00:00\"> <meta property=\"article:modified_time\" content=\"2024-10-16T20:32:51+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/heres-how-attackers-are-getting-around-phishing-defenses-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1296\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Christian Vasquez\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@chrismvasq\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1725982252g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1728928671g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1729103471g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=ada0ad45b21fc79c6694\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/82155\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.6.2\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=82155\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Femail-natural-language-obfuscation-phishing-egress%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Femail-natural-language-obfuscation-phishing-egress%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-82155 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/email-natural-language-obfuscation-phishing-egress\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"24.675721561969\">\n<div class=\"single-article__header-content\" readability=\"32.017045454545\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/news\/cybersecurity\/\"> <span>Cybersecurity<\/span> <\/a> <\/li>\n<\/ul>\n<p> Data from Egress looks at how hackers are successfully evading email security filters. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/82155\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"432\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/heres-how-attackers-are-getting-around-phishing-defenses.jpg?resize=640%2C432&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/heres-how-attackers-are-getting-around-phishing-defenses-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/heres-how-attackers-are-getting-around-phishing-defenses-2.jpg?resize=300,203 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/heres-how-attackers-are-getting-around-phishing-defenses-2.jpg?resize=768,518 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/heres-how-attackers-are-getting-around-phishing-defenses-2.jpg?resize=1024,691 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/heres-how-attackers-are-getting-around-phishing-defenses-2.jpg?resize=1536,1037 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/heres-how-attackers-are-getting-around-phishing-defenses-2.jpg?resize=600,405 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/heres-how-attackers-are-getting-around-phishing-defenses-2.jpg?resize=249,168 249w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/heres-how-attackers-are-getting-around-phishing-defenses-2.jpg?resize=499,337 499w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/heres-how-attackers-are-getting-around-phishing-defenses-2.jpg?resize=1000,675 1000w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/heres-how-attackers-are-getting-around-phishing-defenses-2.jpg?resize=1249,843 1249w\" sizes=\"(max-width: 1000px) 100vw, 1000px\"><figcaption> LONDON,ENGLAND – MARCH 21: (Editors note: The email address has been pixelated) In this photo illustration a spam ‘Phishing’ email is displayed on a laptop screen on March 21,2022 in London,England. (Photo by Peter Dazeley\/Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"33.553032870213\"><body readability=\"67.586206896552\"><\/p>\n<p>Hackers are evading natural language processing detection capabilities used to filter out phishing attacks by adding benign text and links, according to data from Egress\u2019 threat intelligence unit released Tuesday.<\/p>\n<p>Egress researchers <a href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2024\/10\/20241015-Egress-NLP-Data.pdf\">looked at 40 attacks<\/a> targeting U.S. organizations that used obfuscation techniques designed to evade anti-phishing services by using natural language processors (NLP) to send malware or malicious links. NLPs are also used by artificial intelligence models like ChatGPT.<\/p>\n<p>Egress, a KnowBe4-owned firm, said some email services use NLPs and make a calculation on whether an email is safe. Knowing these guardrails are in place, attackers are looking to manipulate NLPs with random text, links, or whitespace. If enough \u201csafe\u201d elements are detected, the email will be delivered to the victim, researchers wrote.<\/p>\n<p>\u201cIt is the attackers\u2019 hope that by stacking enough benign elements at the bottom of an email, an NLP tool will generate a general conclusion that the email is safer than it is malicious and deliver it to the recipient\u2019s inbox,\u201d Egress researchers wrote.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Dan Shiebler, head of machine learning at Abnormal Security, told CyberScoop that NLPs are among the oldest email protection techniques. NLPs look for words, phrases, or tokens that are rendered to the reader in a pattern that is likely to be spam, Shiebler said.<\/p>\n<p>\u201cThe simplest thing you do is just look at certain phrases that are going to show up in attacks and not show up in safe stuff,\u201d Shiebler said. \u201cSo if it\u2019s like \u2018Click here for penis enhancement\u2019 \u2026 you\u2019re going to see that in spam.\u201d<\/p>\n<p>But it has only been in recent years that processing power has been able to move beyond a couple of words or phrases at a time, Shiebler said. Now, statistical patterns are becoming more complex with recent advancements in artificial intelligence. <\/p>\n<p>Egress\u2019 report noted that while legitimate links to Bank of America and Uber were the most frequent sites used to evade NLP detection, random characters, breaks, and other links not included on email block lists were also found.<\/p>\n<p>Egress also noted that attackers are aiming to give NLPs more data to process.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cFor some email security tools, if an email takes too long to scan, it will be released before the scan is complete, so [a] phishing email can get through without [being] classified as malicious,\u201d the report states.<\/p>\n<p>Egress noted in a recent report on phishing that <a href=\"https:\/\/pages.egress.com\/whitepaper-phishing-trends-threat-report-10-24.html\">78% of discovered malicious emails<\/a> use two or more obfuscation techniques.<\/p>\n<p>Verizon\u2019s <a href=\"https:\/\/www.verizon.com\/business\/resources\/reports\/dbir\/\">2024 data breach investigations report<\/a> found 31% of all detected incidents involved phishing tactics.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"1.7872340425532\">\n<div class=\"author-card\" readability=\"9\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/heres-how-attackers-are-getting-around-phishing-defenses-1.jpg?w=640&ssl=1\" alt=\"Christian Vasquez\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Christian Vasquez<\/h4>\n<p> Christian covers industrial cybersecurity for CyberScoop News. He previously wrote for E&E News at POLITICO covering cybersecurity in the energy sector. Reach out: christian.vasquez at cyberscoop dot com <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Geopolitics<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/email-natural-language-obfuscation-phishing-egress\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Here\u2019s how attackers are getting around phishing defenses | CyberScoop<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[282,78,2925,281,60,256,288],"tags":[286,86,2926,285,67,262,294],"class_list":["post-5842","post","type-post","status-publish","format-standard","hentry","category-cybercrime","category-cybersecurity","category-email","category-hacking","category-phishing","category-research","category-threats","tag-cybercrime","tag-cybersecurity","tag-email","tag-hacking","tag-phishing","tag-research","tag-threats"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybercrime\/\" rel=\"category tag\">cybercrime<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/email\/\" rel=\"category tag\">email<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/hacking\/\" rel=\"category tag\">hacking<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/phishing\/\" rel=\"category tag\">phishing<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/research\/\" rel=\"category tag\">Research<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a>","tag_info":"Threats","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/5842","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=5842"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/5842\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=5842"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=5842"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=5842"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":5842,"date":"2024-10-16T09:36:48","date_gmt":"2024-10-16T14:36:48","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=82155"},"modified":"2024-10-16T09:36:48","modified_gmt":"2024-10-16T14:36:48","slug":"heres-how-attackers-are-getting-around-phishing-defenses","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/10\/16\/heres-how-attackers-are-getting-around-phishing-defenses\/","title":{"rendered":"Here\u2019s how attackers are getting around phishing defenses"},"content":{"rendered":"