Spam filters work using rule based analysis and machine learning to identify patterns learned from malicious emails, spam, and legitimate emails. They evaluate various identifiers, such as suspicious domain reputation, subject lines, words and phrases, attachments, etc. Threat actors and spam filters are constantly adapting in a perpetual game of cat and mouse.

Depending on your cellular carrier you’ll probably notice a similar nature with SPAM texts and calls.

Common Tactics Threat Actors use to Penetrate SPAM Filters

‍

Using Legitimate Email Services:

Threat actors often leverage trusted platforms like Gmail, Microsoft 365, Yahoo, etc to send emails from verified accounts, making them harder to flag as spam. Coming from an @outlook.com email address can often fool a user who is accustomed to seeing outlook as that's their email platform. 

These email accounts are often aged and warmed up to decrease their chances of getting caught by the SPAM Filter.

Image-Based Content:

Embedding key messaging or malicious instructions in images to evade keyword and content scanning by spam filters.

‍

Compromised Sender Domains: ‍

Business email compromise (BEC) was one of the most costly types of cyber crime last year. While often associated with wire fraud, compromised mailboxes are used to exploit their higher sender reputation and often assumed trust; for social engineering. 

‍

Spoofed Sender Domains:

Threat actors often use spoofed domains to deceive both recipients and spam filters into believing the email originates from a trusted source. 

This tactic involves exploiting misconfigured or missing SPF, DKIM, and/or DMARC records on the spoofed domain, making it difficult for recipients to distinguish between legitimate emails and those spoofing the domain. By impersonating legitimate and often trusted entities, attackers increase the likelihood that recipients will open emails, click on malicious links, or download harmful attachments, making this a highly effective method for phishing and fraud campaigns.

‍

Domain Warming:

In addition to aging a newly registered domain, threat actors gradually increase (non-malicious) email activity from the newly registered domains they own; building a positive reputation before sending malicious content. This is especially effective when they prompt replies and/or inbound email/messaging. This increases the likelihood of getting through the SPAM filter.

‍

This has also become extremely common with warming phone numbers used for scams.

‍

Selective Sending:

The more malicious emails that are sent the higher likelihood that the SPAM filters will detect it; so threat actors carefully target a limited number of recipients with malicious emails to avoid detection by the SPAM filter. 

‍

Delayed Activation of Malicious Content:

Embedding benign links or attachments that are later turned malicious only after they have passed the initial spam filter checks is an effective tactic by threat actors. Google and Microsoft spam filters open attachments and/or links in a sandbox to test for malicious functionality. Often threat actors will change the functionality after they've sent them.

Attachments can be crafted to load content or scripts from external domains at runtime, such as in HTML, Office, or PDF files, allowing attackers to change the hosted payload after delivery by updating the content on their server. This lets them swap in malicious code or phishing logic post-send, without altering the attachment itself. Because the attachment loads or executes remote resources, its behavior can be changed dynamically without modifying the original email.

‍

Dynamic Content:

Threat actors evade spam filters by using slight, randomized variations in email structure; such as altering subject lines, body text, sender display names, or header metadata to avoid matching known signatures or patterns. These subtle changes reduce the effectiveness of pattern-recognition and machine-learning-based detection systems that rely on consistency across large volumes of malicious emails. Threat actors use slight variations in email structure, text, or sender details to avoid detection by pattern-recognition algorithms.

‍

Avoiding Overuse of Malicious Domains:

Threat actors are constantly using new domains activity to prevent overexposure and blacklisting. The more the domain has been used maliciously, the more likely it will be be caught.

‍

Data Poisoning: ‍

OK, less common, this tactic has been observed, particularly among APTs and/or well-resourced threat actors. It involves sending large volumes of emails that blend characteristics of both phishing and legitimate messages, aiming to skew the spam filter's training data and confuse its detection algorithms. You can read more data poisoning here.

‍

Add Social Engineering to Your Next Penetration Test

Our penetration testing services include social engineering assessments that replicate the latest techniques used by advanced threat actors, including groups like Scattered Spider and APTs. Let's help you evaluate and strengthen your organization’s resilience against real-world social engineering tactics.

‍