Threat actors are continuously refining their email phishing strategies, blending established tactics with new evasion techniques to bypass modern security controls. Instead of relying on simple links, attackers are increasingly using PDF attachments as their primary delivery vehicle.

These are not ordinary attachments; many now contain QR codes, designed to redirect users to malicious sites on their mobile phones, which often have fewer security protections than corporate workstations. To further evade detection, attackers are password-protecting these PDF files, a tactic that complicates automated scanning and lends a false sense of legitimacy to the email.

Deceptive Delivery and Evasion

Beyond attachments, cybercriminals are reviving older methods with a new focus. Phishing attacks using calendar invitations, a technique popular in the late 2010s, have returned. Now, they are being used in targeted B2B campaigns to embed malicious links directly into an employee’s schedule, waiting for a reminder to prompt a click. The phishing websites themselves are also more sophisticated. Many now employ a chain of CAPTCHA verifications to filter out security bots before presenting the fake login page, which may even validate email addresses to appear more authentic.

Sophisticated Credential and MFA Theft

The most alarming development is the rise of phishing sites designed to defeat multi-factor authentication (MFA). These advanced attacks use high-quality replicas of legitimate login pages, such as cloud storage services. When a victim enters their credentials, the malicious site acts as a proxy, passing the information to the real service in real-time. This triggers a genuine MFA request (like an OTP) to the user. Once the user enters the one-time code on the phishing site, the attackers capture it, use it to complete the login, and gain full access to the account. This demonstrates a significant leap in the complexity and danger of modern phishing campaigns.