Risky Bulletin Podcast Summary
Episode: Sponsored: Phishing Crews Have Gotten Really Good at Evasion
Host: Casey Ellis
Guest: Jacques, Chief Product Officer and Co-Founder of Push Security
Release Date: June 9, 2025
Introduction
In this episode of Risky Bulletin, host Casey Ellis engages in an insightful conversation with Jacques, the Chief Product Officer and Co-Founder of Push Security. The discussion delves into the evolving landscape of phishing attacks, exploring the sophisticated techniques employed by cyber adversaries, the defensive measures being implemented, and the future trajectory of phishing threats.
The Evolution of Phishing
Past vs. Present Techniques
Jacques begins by contrasting traditional phishing methods with contemporary strategies. He reflects on the "classic phishing" era, where attackers utilized static HTML pages and straightforward email lures to deceive victims.
Jacques [00:52]: "That sort of classic phishing we all grew up with... it was all about the lure. But I think if you're looking at, like, what they need to do today, it's a hell of a lot more. So the complexity has just ramped through the roof."
Increased Complexity and Evasion
Modern phishing campaigns have evolved beyond simple email links. Attackers now deploy unique, dynamically generated links that are challenging to scan and block proactively. This shift necessitates more advanced detection mechanisms to counteract the sophisticated evasion tactics.
Jacques [01:25]: "Now we're seeing attackers just like pop unique links for everything. And that goes completely out. You can proactively scan just like every website that gets spun up."
Advanced Phishing Techniques
MFA Downgrade Attacks
With the widespread adoption of Multi-Factor Authentication (MFA), attackers have adapted by implementing downgrade attacks. These involve intercepting MFA prompts and coercing users into selecting less secure authentication methods, such as SMS-based verification.
Jacques [05:35]: "They're injecting a little bit of code to do MFA downgrade... so when Google says how do you want to MFA phishing site says yeah, I'm going to choose the SMS option."
Sandbox and Bot Evasion
Attackers have also become adept at evading sandbox defenses. By leveraging advanced bot protection tools, such as Cloudflare Turnstile, phishing sites can avoid detection by automated scanning systems.
Jacques [06:57]: "They've started using legitimate bot protection tools to kill the sandboxes. So now it's like good security, fighting good security."
Shifting Delivery Mechanisms
From Email to Diverse Communication Channels
The traditional reliance on email for phishing has waned as organizations bolster their email security. Instead, attackers now exploit a variety of communication platforms, including instant messaging apps like Slack and Teams, social networks like LinkedIn and Reddit, and even malicious advertisements.
Jacques [08:43]: "The delivery mechanisms have been quite cool. Now they're using... IM or a DM from someone external. So everything allows you to do some kind of comms and all those things are being used."
Case Study: Scattered Spider Community
A notable example discussed is the Scattered Spider community, which utilizes tools like EvilJINX to deliver phishing attacks via highly targeted Google Ads. This method capitalizes on user behavior of searching for legitimate services and clicking on top search results, inadvertently directing them to malicious sites.
Jacques [10:52]: "This is actually on Fido... it was quite solidly, obviously just a highly paid ad hit. And that went straight to a phishing attack."
User Behavior and Its Impact
Reliance on Search Engines
User habits significantly influence the effectiveness of phishing campaigns. Many users prefer searching for application login pages rather than directly typing URLs, making them susceptible to attackers who manipulate search engine results.
Jacques [11:46]: "If you look at the history of how people get to a login page for most SaaS apps, they don't actually type the domain name in. They're just googling the app name and then clicking the first link that comes up."
Defensive Measures Against Phishing
Adoption of Passkeys
Passkeys have emerged as a robust defense against phishing. While not entirely foolproof, they substantially reduce the risk by eliminating the reliance on password-based authentication.
Jacques [12:24]: "Passkeys are a must. They are definitely being effective... even if you just can fish the creds and you don't get all the way through to the session, it's so much easier to convince the support desk to just do an MFA reset."
Limitations and Areas for Improvement
Despite their effectiveness, passkeys have edge cases. Ensuring complete un-enrollment of outdated authentication methods is crucial to prevent attackers from downgrading security measures.
Jacques [13:16]: "We saw the Snowflake breach and suddenly everyone realized... there might actually be critical data in apps that aren't yet in our SSO."
Future Trends and Predictions
Behavioral Detection Enhancements
Push Security is focusing on transitioning from signature-based detections to behavioral analyses. By identifying common traits across phishing kits, such as cookie absence or the presence of cloud-based challenge pages, they aim to detect and mitigate threats more swiftly and accurately.
Jacques [16:31]: "We're shifting a lot of those detections from things that are very, you know, sort of signatures to a lot more behavioral things."
Continuous Adaptation to Attackers
As phishing tactics become more sophisticated, Push Security plans to enhance its detection capabilities, including real-time flight recording and faster turnaround of threat intelligence. This proactive approach is essential to keep pace with the rapidly evolving threat landscape.
Jacques [16:31]: "We're just seeing the volumes of things coming in and getting through whatever was there already. A lot of it's getting through and a lot of the detections are really working."
Conclusion
The episode underscores the relentless cat-and-mouse game between cybersecurity defenses and phishing adversaries. As attackers innovate and adapt, so too must the defensive strategies employed by organizations. Push Security remains at the forefront, developing advanced detection mechanisms and behavioral analytics to stay ahead of phishing threats.
For those interested in learning more or exploring Push Security’s offerings, Jacques invites listeners to visit their website and book a demo.
Jacques [18:02]: "Come to the website, book a demo, come see what it's about."
This comprehensive discussion highlights the dynamic nature of phishing threats and the critical importance of evolving defensive measures to protect sensitive information in an increasingly complex digital landscape.