Sponsored: Phishing crews have gotten really good at evasion - Risky Bulletin

Summary5 min read

Risky Bulletin Podcast Summary
Episode: Sponsored: Phishing Crews Have Gotten Really Good at Evasion
Host: Casey Ellis
Guest: Jacques, Chief Product Officer and Co-Founder of Push Security
Release Date: June 9, 2025

Introduction

In this episode of Risky Bulletin, host Casey Ellis engages in an insightful conversation with Jacques, the Chief Product Officer and Co-Founder of Push Security. The discussion delves into the evolving landscape of phishing attacks, exploring the sophisticated techniques employed by cyber adversaries, the defensive measures being implemented, and the future trajectory of phishing threats.

The Evolution of Phishing

Past vs. Present Techniques

Jacques begins by contrasting traditional phishing methods with contemporary strategies. He reflects on the "classic phishing" era, where attackers utilized static HTML pages and straightforward email lures to deceive victims.

Jacques [00:52]: "That sort of classic phishing we all grew up with... it was all about the lure. But I think if you're looking at, like, what they need to do today, it's a hell of a lot more. So the complexity has just ramped through the roof."

Increased Complexity and Evasion

Modern phishing campaigns have evolved beyond simple email links. Attackers now deploy unique, dynamically generated links that are challenging to scan and block proactively. This shift necessitates more advanced detection mechanisms to counteract the sophisticated evasion tactics.

Jacques [01:25]: "Now we're seeing attackers just like pop unique links for everything. And that goes completely out. You can proactively scan just like every website that gets spun up."

Advanced Phishing Techniques

MFA Downgrade Attacks

With the widespread adoption of Multi-Factor Authentication (MFA), attackers have adapted by implementing downgrade attacks. These involve intercepting MFA prompts and coercing users into selecting less secure authentication methods, such as SMS-based verification.

Jacques [05:35]: "They're injecting a little bit of code to do MFA downgrade... so when Google says how do you want to MFA phishing site says yeah, I'm going to choose the SMS option."

Sandbox and Bot Evasion

Attackers have also become adept at evading sandbox defenses. By leveraging advanced bot protection tools, such as Cloudflare Turnstile, phishing sites can avoid detection by automated scanning systems.

Jacques [06:57]: "They've started using legitimate bot protection tools to kill the sandboxes. So now it's like good security, fighting good security."

Shifting Delivery Mechanisms

From Email to Diverse Communication Channels

The traditional reliance on email for phishing has waned as organizations bolster their email security. Instead, attackers now exploit a variety of communication platforms, including instant messaging apps like Slack and Teams, social networks like LinkedIn and Reddit, and even malicious advertisements.

Jacques [08:43]: "The delivery mechanisms have been quite cool. Now they're using... IM or a DM from someone external. So everything allows you to do some kind of comms and all those things are being used."

Case Study: Scattered Spider Community

A notable example discussed is the Scattered Spider community, which utilizes tools like EvilJINX to deliver phishing attacks via highly targeted Google Ads. This method capitalizes on user behavior of searching for legitimate services and clicking on top search results, inadvertently directing them to malicious sites.

Jacques [10:52]: "This is actually on Fido... it was quite solidly, obviously just a highly paid ad hit. And that went straight to a phishing attack."

User Behavior and Its Impact

Reliance on Search Engines

User habits significantly influence the effectiveness of phishing campaigns. Many users prefer searching for application login pages rather than directly typing URLs, making them susceptible to attackers who manipulate search engine results.

Jacques [11:46]: "If you look at the history of how people get to a login page for most SaaS apps, they don't actually type the domain name in. They're just googling the app name and then clicking the first link that comes up."

Defensive Measures Against Phishing

Adoption of Passkeys

Passkeys have emerged as a robust defense against phishing. While not entirely foolproof, they substantially reduce the risk by eliminating the reliance on password-based authentication.

Jacques [12:24]: "Passkeys are a must. They are definitely being effective... even if you just can fish the creds and you don't get all the way through to the session, it's so much easier to convince the support desk to just do an MFA reset."

Limitations and Areas for Improvement

Despite their effectiveness, passkeys have edge cases. Ensuring complete un-enrollment of outdated authentication methods is crucial to prevent attackers from downgrading security measures.

Jacques [13:16]: "We saw the Snowflake breach and suddenly everyone realized... there might actually be critical data in apps that aren't yet in our SSO."

Future Trends and Predictions

Behavioral Detection Enhancements

Push Security is focusing on transitioning from signature-based detections to behavioral analyses. By identifying common traits across phishing kits, such as cookie absence or the presence of cloud-based challenge pages, they aim to detect and mitigate threats more swiftly and accurately.

Jacques [16:31]: "We're shifting a lot of those detections from things that are very, you know, sort of signatures to a lot more behavioral things."

Continuous Adaptation to Attackers

As phishing tactics become more sophisticated, Push Security plans to enhance its detection capabilities, including real-time flight recording and faster turnaround of threat intelligence. This proactive approach is essential to keep pace with the rapidly evolving threat landscape.

Jacques [16:31]: "We're just seeing the volumes of things coming in and getting through whatever was there already. A lot of it's getting through and a lot of the detections are really working."

Conclusion

The episode underscores the relentless cat-and-mouse game between cybersecurity defenses and phishing adversaries. As attackers innovate and adapt, so too must the defensive strategies employed by organizations. Push Security remains at the forefront, developing advanced detection mechanisms and behavioral analytics to stay ahead of phishing threats.

For those interested in learning more or exploring Push Security’s offerings, Jacques invites listeners to visit their website and book a demo.

Jacques [18:02]: "Come to the website, book a demo, come see what it's about."

This comprehensive discussion highlights the dynamic nature of phishing threats and the critical importance of evolving defensive measures to protect sensitive information in an increasingly complex digital landscape.

Loading summary

Transcript50 lines

[00:03]
Casey Ellis
Hey, everyone, this is Casey Ellis with the Risky Business podcast. Today I'm doing a sponsored interview with Jacques, the chief Product Officer and co founder of Push Security. Jacques and I talk about the past, present, and future of phishing, what the bad guys are up to, and some of the. Some of the wacky things that Push get to see from a data standpoint, sitting in between, you know, the adversary and people clicking on things in their browser. So enjoy. Jacqueline, we're talking about, you know, we've been talking about phishing and just kind of the different, the different techniques and the different things that are, that are going on out in the, the big bad Internet. And obviously Push Security is, is like neck deep in, in seeing that from like a defense, but also a threat intelligence standpoint. But also, you know, when you think about it, like fishing as a concept probably first got introduced, what, 30 years ago, and it's evolved a fair bit since then. So, you know, what's the latest and greatest?
[00:53]
Jacques
Yeah, man. That sort of classic phishing we all grew up with and used to do when we were starting out as pen testers, you know, you had like a static HTML site that popped up, looked somewhat convincing, really. It was all about the lure. But I think if you're looking at, like, what they need to do today, it's a hell of a lot more. So the complexity has just ramped through the roof.
[01:16]
Casey Ellis
Yeah. So in what ways are you talking about, you know, the complexity in terms of what folks have to get around to be successful in phishing or kind of the attack surface they've got available to play with at this point?
[01:26]
Jacques
Yeah, I mean, they probably both, you know, but yeah, I think the core thing to look at is just like, what they have to get around to succeed. You know, the days of, like, fire an email, have a link in the email, you click the link and get to a phishing page is long, long over. If you look at stuff that actually works, the stuff that people are actually using to do account takeover with, there are basically like, if you think about how those sites are detected and stopped, because, you know, once it gets into a phish, once it gets into a TI feed, there's a million ways to block it, but something has to get it into that TI feed, right? Something has to get it into that block domain list. So new phishing website pops up. The only ways to do that, there are like sort of three classic ways to do that. So you scan the email for links, open that link in a sandbox. Well, you don't open the link in a sandbox, you replace the link with a rewrite. Then when the user clicks that link, then you open it in a sandbox. Otherwise your email scanning appliance starts opting you into and out of a bunch of stuff. So this has to happen in parallel once the user clicks. So that means the first user that clicks that thing goes straight through to the phishing site and it tells you afterwards whether it was phishing or not. Just limited use.
[02:35]
Casey Ellis
And you're not really preventing things at that point. You're more like, hey, sorry.
[02:38]
Jacques
Yeah, yeah, I mean like if 100 people got the same link, you know, maybe by the time, you know, the nth person does click on that, maybe at that point you've like removed the emails and cleaned the link. But yeah, certainly the first couple of people go straight through. So now we're seeing attackers just like pop unique links for everything. And that goes completely out. You can proactively scan just like every website that gets spun up. So you ingest transparency logs. You know, if you've got Google scale, DNS and just web visibility, you can kind of do that. And people are doing that successfully today. Again, open it up in a sandbox, relies on that sandbox piece and you know, scan it before, get it onto that block list or that TI feed or wherever you're doing before basically anyone, before the emails even get sent out or that's the idea. And then I guess the last way of doing that is just looking at the, I mean, it has to be decrypted web traffic. So you look at proxy, you have to look at like the actual content of what's going through this proxy and inspect that. And you can, I mean there are definitely things you can look at there depending on which technique is being used. I mean, if it's the same fish kit that's been used a dozen times, you can start building indicators for those things. But again, ways to work around that. So sure. And basically the last big thing has been. Yeah, I mean the detection isn't working. So let's do mfa. I think that's been kind of the big trigger for a lot of the new features and the big changes.
[04:01]
Casey Ellis
That makes sense. I mean, in terms of some of the evolutions on the defensive side, I guess what are you seeing? What are you seeing the bad guys do? Because you know, I would, I would imagine that the, the telemetry you guys have access to is, is pretty interesting. Like you're right there at the coal face and you got a, you know, obviously a kind of you know, over the shoulder, I guess, view of what's happening there, like what's, what's working, what are the bad guys doing? What's actually working at this point, do you think?
[04:27]
Jacques
Yeah, I mean it's, it's so interesting to watch the evolution. I mean these guys are like just, they're devving in produce. Right. I mean you're seeing like half working JavaScript fragments and just, I assume all kinds of vibe coding happening. So it's pretty crazy having that inside.
[04:40]
Casey Ellis
Of all the other stuff, like vibe crying. I guess.
[04:44]
Jacques
Guess that's it. Yeah, why not? Of course it's going to happen. But yeah, I think, I mean like if you look at the big things that they're changing and doing, you know, top level, I think the first thing is just MFA is a thing. It's now a thing everywhere, especially on sso. So you have to do attacker in the middle and you have to be doing downgrade attacks. So just classic man in the middle stuff. You're not actually accessing a website on that domain. You're just hitting a reverse proxy to the actual Microsoft Dr. Google login page. And as you actually log into the real thing, it's just taking the session and running away with that. So yeah, it's a pretty genius move. I mean it's been around forever but now it's like it's probably, I don't know, 10, 15% of what we see is like just these kind of like really, really thin reverse proxy stuff.
[05:35]
Casey Ellis
Wow.
[05:35]
Jacques
It's a big chunk of it, you know, so like the only thing they actually modify is inject a little bit of code to do MFA downgrade. So you know, you have your good MFA method, but that SMS method you enrolled three years ago. Yeah, that's still there.
[05:49]
Casey Ellis
That's still there, yeah.
[05:50]
Jacques
So when Google says how do you want to MFA phishing site says yeah, I'm going to choose the mfa, the SMS option. And you know.
[05:58]
Casey Ellis
Got it.
[05:59]
Jacques
Yeah. And then I think that the next major, major innovation is just like the sandbox evasion part. I mean I say sandbox, but really what I'm just saying is like it's a headless browser. Yeah. I mean that's what an email or like what a web sandbox is. It's a headless browser. I mean otherwise known as a bot. I mean if you were doing the same thing for scraping, you would just call it a bottom right. And guess what a legitimate security tool is bot protection. I mean there's a Gartner magic quadrant for bot Protection. So these guys are just using like legitimate bot protection tools to kill the sandboxes. Right? I mean, like, so now it's like good security, fighting good security. So it's perfect. I mean, we literally see, I can't tell you, like, what tiny percentage of things we see that don't implement Cloudflare turnstile. I mean, like that, you know, go look on any website, like if you want to catch phishing, go onto URL scan and search for screenshots of the Cloudflare turnstile.
[06:57]
Casey Ellis
Oh yeah, right.
[06:57]
Jacques
Sort of waiting page. Because that's where they all get stuck. You just have to do any kind of user interaction. You break those sandboxes completely.
[07:04]
Casey Ellis
That's fun. So they're basically, you know, they've gotten themselves some infrastructure devs or, you know, like a proper security team out in bad guy land. They're starting to implement the things that, that we've been doing in order to protect their operation.
[07:16]
Jacques
Right, exactly. And I mean, that first layer is just like everything interesting happens after that because no security appliance gets to the thing after that. Or like the majority assume don't because it's so pervasive. Like just nothing doesn't do this. We've even seen the guys like getting a little bit more sophisticated. I assume someone's figured out how to get around turnstiles. So now we saw Kip a couple of weeks ago that was doing like, you know, they do sort of like minimal user interaction. You have to click here, you have to do something, which normally is enough, but someone put like a phishing thing behind a like legitimate Google OIDC login. So you have to log in with your Google account to a legitimate website and then you get to the phishing website. That's perfect. Sandbox prevention, right? I mean, there's no sandbox that's going to get there. So yeah, that kills like the automated scanning.
[08:04]
Casey Ellis
Wow. Okay, so, so, so in terms of, I mean, we, we've talked about, you know, phishing past and phishing present, I guess speaking about like vibe chroming and, and, and sort of the, the, the red on blue stuff you were just talking about in terms of attackers actually getting better at defending themselves, but obviously, you know, adapting past what we do to try to stop them. Like, where do you see that going from here? Because, you know, I think a lot of these sort of innovations, I guess that you've just talked about are in response to, to us or making attacker life a little bit more difficult. And we're not going to stop doing that, but they're not going to stop needing to eat and wanting to fish to pay the bills. So where do you see it go from here?
[08:44]
Jacques
Yeah, I mean there's some new techniques that are happening which are like. A lot of that is as you said, like the vibe coding side of things and what they're doing in code. I think that's maybe there's a lot of just obfuscation and these websites are getting incredibly dynamic and it's just changing and you can understand it's just like to get around static network fingerprints and all that kind of thing. It makes sense what they're doing. But I think the big innovation at the moment is happening just like in the delivery mechanism. I'm not sure whether this is better protection or just email getting less relevant. In business comms, no one trusts, I don't know, I suddenly look twice at an email, at a link, at an email or anything coming from an email. I'm looking for reasons not to interact with email. So I don't know whether that's the driver. But just where we see the links coming from, it's increasingly just anything. You can get an IM or a DM from someone external. So, you know, Slack allows you to connect with people externally, so does teams, so does LinkedIn, Reddit, Discord. Everything allows you to like do some kind of comms and all those things are being used. But like there's cool malvertising attacks. There was a scattered spider or. Yeah, scattered spider community, I guess, rather than group or whatever we're calling it now.
[09:57]
Casey Ellis
Yeah, do you want to talk through that one? You mentioned that sort of being kind of non traditional, some of the more recent stuff that they've been up to.
[10:03]
Jacques
Yeah, yeah. So especially the delivery mechanisms have been quite cool. So they're using the classic sort of freely available evil jinx, you know, reverse proxy attacker in the middle style tooling, like for pen testers, but now for crime and that's been. Yeah, I mean we're seeing that. Like I say it must be. I don't have the exact stat over the last month, but it must be like between 10 and 15% of the bad stuff is just evil jinx.
[10:32]
Casey Ellis
Right.
[10:34]
Jacques
So the delivery mechanism for that one was quite interesting. This is actually on Fido. They're an identity product in the same space. So if you googled them, they were like the number one ad hit. And that was just solidly, obviously just a highly paid ad hit. And that went straight to a phishing attack.
[10:52]
Casey Ellis
Oh, wow.
[10:53]
Jacques
Yeah, we've done A blog post around this, but it was quite an interesting thing because you can see a lot of the other infrastructure matches the scattered spider stuff. But this kind of like just doing. Using Malviton. Of course, why not? Why wouldn't this work?
[11:06]
Casey Ellis
If it works, do it so like a really targeted, almost kind of watering hole type attack, but through Google Ads.
[11:16]
Jacques
As a delivery mechanism, it turns out if people. Yeah, it's interesting for us being in the browser because we can. Yeah, you have a lot of investigation capability here. And turns out like if you look at the history of how people get to a login page for most SaaS apps, they don't actually type the domain name in. It turns out if you want to get to an app, most people are just googling the app name and then clicking the first link that comes up in Google. Right. It's weird, but it makes sense after you know it. So yeah, if you're fishing for that app.
[11:47]
Casey Ellis
Yeah, I mean it's kind of. It's how we've taught people to use the Internet at this point. So yeah, it's maybe a little bit weird from a technical standpoint, but that's the user behavior I guess we have to work with these days. Right.
[11:57]
Jacques
And yeah, the attackers have definitely figured that out.
[11:59]
Casey Ellis
Yeah, absolutely. We're talking about. So what's the, I guess the role of, in terms of building out resistance to this type of thing at kind of the enterprise level? What's the role of passkeys in that at this point in time? Are they effective? Is there, you know, some of the attacks that you're talking about that can, that can potentially evade that or how attackers are kind of working around that particular protection? I guess from a phishing cred standpoint.
[12:25]
Jacques
I think parsekeys are a must. They are definitely being effective. I think there are edge cases for sure. I mean, you know, having like a strong yubikey auth mechanism is great, but you need to make sure that you unenroll all the old stuff and you can't just downgrade to whatever the previous thing was. But it's like even if you just can fish the creds and you don't get all the way through to the session, it's so much easier to convince the support desk to just do an MFA reset versus doing the whole password reset and then an MFA reset. So yeah, it's not bulletproof, but it's helping a lot. I think it's helping to the extent that a lot of the. I think the attackers have figured out something that Most teams haven't figured out is that they actually have a ton of important stuff that isn't behind sso.
[13:17]
Casey Ellis
Right.
[13:17]
Jacques
So we've kind of seen glimpses of that. You know, we saw the Snowflake breach and suddenly everyone realized, oh, yeah, there might actually be critical data in apps that aren't yet in our sso. So I think we're definitely starting to see. I mean, it used to be like, even just three months ago, I think it was like 99% of phishing was just Microsoft, Okta, Google, in that order.
[13:39]
Casey Ellis
Right.
[13:40]
Jacques
And now it's like, yeah, we're definitely starting to see people phishing other things. I mean, there have been news stories and we saw Troy's story about, you know, his mailchimp, like, much more targeted phishing attacks, the on Friday stuff. So definitely people are figuring out like, yeah, I mean, the attackers aren't just going to hang up their clogs and go, oh, pass keys. We'll just stop now. What is the next easiest thing to do? Cool.
[14:02]
Casey Ellis
Yeah, that makes a lot of sense. It's interesting hearing you call that out, you know, thinking about it through the lens of, you know, we've kind of ragged on vibe thing a couple of times. But, you know, the, the adoption, I guess, the pressure to adopt AI in the enterprise and sort of this whole shadow AI phenomena and then kind of data just sloshing around all over the place as people are trying to build stuff out. Yeah. Attackers being aware of the fact that, hey, the crown jewels might be somewhere, you know, other than where you expect them to be. And that might involve actually getting a credit for a third party and going, you know, dumpster diving at that point. Is that. Is that the kind of thing you're referring to there?
[14:40]
Jacques
Yeah, 100%. I mean, I think there's the good thing about the, you know, the recent AI Sprint is everybody's now very aware that this is going everywhere and it's kind of real because I think everybody is now starting to put data in there. It's not just the developers anymore. It's not just, you know, XYZ Team. It's now kind of everyone is doing this. But the problem is, if you look at the stuff that we see, the sort of SSO adoption rate, because that's kind of a big part of the push platform is we do the phishing stuff. But there's also, from the browser telemetry, we have incredible visibility of every identity, every time someone logs into any app, we can see how they're logging into that App, Is it saml? Is it oidc? Is it a password? Which SSO is it connected to? You can see if the password is typed, pasted, Was it entered by a password manager? Is there MFA on the account? Is the password weak? Is it a breach password? Was it stolen? So when you start seeing that stuff and you're saying, yeah, okay, I mean I see everybody talk about the AI thing, but the problem is like file sharing apps, it's dev platforms. I can see. Cool. There's AWS here and there's a lot of this aws that's sso, but here's a bunch of aws. It's definitely just people logging in with passwords. What is that? Are those dev instances? Like which tenants are these? Because if you think 100% of it's SSO. Yeah. Doesn't line up with reality, that makes.
[16:03]
Casey Ellis
A lot of sense. Well, that's, yeah, that's all, you know, scary and fun and interesting. It's, yeah, definitely a busy season for you guys, I guess. What's next from a push standpoint? What are you guys up to over the next period?
[16:16]
Jacques
A lot.
[16:18]
Casey Ellis
That you can talk about obviously, because I understand release schedules and all that other stuff. But you know, just in terms of how you guys are kind of rising to this or where can people find you over the next. A couple of months ahead of summer camp.
[16:31]
Jacques
It's more of what we're doing already I think. There is so much happening in the space and we're just seeing like every time we release new detections, like it gets better and better and we're just seeing the volumes of things coming in and getting through whatever was there already. A lot of it's getting through and a lot of the detections are really working. So we've got some big features to help us do much more in depth detection. Some things that are going to help us really like sort of flight record data that's happening and better investigate those things so we can turn around these detections in a much quicker. Yeah, just much, much, much faster time span. But also then shifting a lot of those detections from things that are very, you know, sort of signatures to a lot more behavioral things. So there are some very common traits across these, like all these phishing kits. And when you look at them, you recognize like, ah, okay. You know, it's the first time you're accessing this page. No cookies here. Okay. You're going through a cloudflare turnstile. Then you're being asked to enter an email address. Then you're being asked to type into a password box. I mean, like at that point, how.
[17:30]
Casey Ellis
Many apps Heuristically, you're pretty confident at that point.
[17:33]
Jacques
Yeah, one or two more techniques. And so then you're busy collecting a feed of, okay, maybe 50% of that is some random website. 50% is phishing. And then to look at that 50% and turnouts, signatures and better detections, then you're just in a much faster timeline.
[17:50]
Casey Ellis
Very cool. Well, look, we're coming up on time. So for folks that are interested or they're hearing about Push for the first time, wanting to get in touch, how do they do that? And we'll, we'll wrap it up there.
[18:02]
Jacques
Come to the website, book a demo, come see what it's about.
[18:06]
Casey Ellis
Beautiful. All right, well, thank you, Jacques. It's been great to catch up, man.
[18:10]
Jacques
Yeah, cheers. Lovely talking.