Phishing is the most common form of social attack carried out by email. Unlike cyberattacks on systems and software, it requires little to no hacking expertise, making it a quick and easy way for cybercriminals to get access to a business’s most sensitive data.

Download Solution Brief

What is phishing?

Phishing is an email scam that impersonates a business to trick recipients into divulging account credentials or clicking on a malware-laden link. In most attacks, phishing involves luring a victim with a link to a fraudulent website or including an email attachment laced with malware.


Phishing vs spear phishing

Phishing attacks impersonate brands to trick users, whereas spear phishing attacks impersonate individuals. Most phishing emails include a
subject line that causes either alarm or intrigue, which encourages victims to act quickly. With the exception of highly targeted attacks, a phishing email is typically a one-off event. Often, hackers will send a single email to multiple recipients—known as a wave—at once to improve the chances of success.

Spear phishing emails do not include links or attachments and are designed to trick a recipient into completing a financial transaction, such as making a wire transfer, purchasing gift cards, or changing direct deposit information.

Phishing Email


Spear Phishing Email


Elements of a phishing email

All phishing emails include one of two components: a link or an attachment. Getting victims to click the link or open the attachment requires a sophisticated set of tools and techniques.Below are some of the most important elements of a phishing email:

Subject line

Perhaps the most critical element of a phishing email, the subject line is designed to entice, alarm, or frighten the victim the victim into opening the email. Hackers who have done their research write highly targeted subject lines to entice victims into opening emails.

Email spoofing

Email spoofing involves creating an email address that looks like that of a trusted business.With display name spoofing, the hacker adds the desired display name in the sender field of the email. In other cases, a hacker will use an email address resembling a legitimate business email as the display name.

Brand impersonation

Hackers impersonate the brands you trust the most. When attacking businesses, hackers impersonate brands that a business has a relationship with, such as a bank or a software vendor. To create the illusion of legitimacy, phishers use real business and product logos and other visual elements of the brand’s identity.

Phishing link

A link is typically placed in the body of the email, but it can also be placed inside an attachment or inside a legitimate hosted file on a service like OneDrive or SharePoint to avoid detection from email filters scanning for known phishing links. Victims are lured into clicking on the link by the email itself, which directs the user to visit a website to log into an account.


Attachments are included either to conceal the phishing link from an email filter or to deliver malware/ransomware. Often in the form of a Word document, PDF, or .zip file, the attachment appears to be legitimate business correspondence, such as an invoice. The link might lead to a phishing website or result in an automatic download of malware or ransomware.

Phishing page

A phishing page is a fraudulent webpage that impersonates a brand. Unsophisticated pages are easy to spot, but advanced phishers use real CSS from brand webpages to make their webpages identical to the real thing. Phishing pages impersonate login pages where victims enter their username and password to access their account. When they do so, their credentials are stolen.

Learn how to detect a phishing email

Can you recognize a phishing email? These are the telltale signs.

Learn more

The rise of corporate phishing

Phishing was once considered a consumer problem. But as hackers grew more sophisticated, they began targeting businesses. The growth of cloud computing made businesses an even bigger target, with sensitive files and data suddenly up for grabs. As a result, phishers began impersonating high-profile, reputable brands that corporations do business with, including cloud services providers and financial institutions.

Top five impersonated brands by phishing URLs, 2020

Microsoft 39,621
Facebook 14,876
PayPal 11,841
Chase 8,832
eBay 6,918

Phishers’ Favorites

Learn more

Microsoft phishing

With more than 200 million users, Microsoft 365 is the most used business productivity suite in the world, making it the no. 1 corporate target for hackers. The growth of Microsoft 365 has led to an onslaught of phishing attacks aimed at Microsoft 365 business users whose login credentials prove all a hacker needs to access a business’s data.


Microsoft 365 malware email


Outlook phishing email

Popular Microsoft 365 phishing attacks

Action required

Users are alerted that their Microsoft 365 account needs attention, such as validating account credentials or changing a password.

Payment suspended

Users are warned that there is an issue with their Microsoft 365 payment method and instructed to update their credit card information.

Voicemail phishing

Users receive an email from an Outlook or Microsoft email address alerting that they have received a voicemail and must log in to Microsoft 365 to listen to the message.

Shared-file attack

Users receive a notification that a colleague has shared a OneDrive or SharePoint file with them. The file typically includes a phishing link but could also be a ransomware-laden.

OneNote phishing

Users receive a notification that a colleague or associate has shared a OneNote message. The URL in the email leads to a fake OneNote message with an embedded phishing link, which leads to a Microsoft phishing page. With a compromised SharePoint account, hackers can send legitimate notifications.

Multiphase attack

A multiphase attack begins with phishing and evolves into spear . Starting with any of the phishing scams above, the initial attack gives a hacker access to a user’s Microsoft 365 credentials. With these in hand, the hacker can then send phishing or spear phishing emails from a compromised Microsoft 365 account.

Vade Secure for Microsoft 365

Vade Secure for Microsoft 365 blocks advanced attacks from the first email thanks to machine learning models that perform real-time
behavioral analysis of the entire email, including any URLs and attachments. Leveraging data from more than 600 million inboxes, our AI-based threat detection stops threats before, during, and even after attacks.

See the solution

Phishing techniques

Most email filters use fingerprint and reputation-based detection methods, including scanning for blacklisted domains and IPs. This makes it impossible for these types of filters to detect unknown attacks, or malicious emails and pages that have not been previously identified.

Hackers use a number of techniques to bypass fingerprint and reputation-based filters. With a simple MX record lookup, hackers can see which email security solution is in use and create scripts to bypass MX rules or develop techniques to bypass the solution itself. Below are some of the most common and advanced techniques:

Targeted emails
  • Victims are chosen by their job position, experience level, and other factors that indicate their ability to provide access to sensitive data.
  • Phishers mine social media and past data breaches for information that could assist in personalizing the email and understanding what would motivate a victim to respond to a phishing email.
  • Hackers research the target company to learn which brands they do business with, including their business partners, software providers, and banks or other financial partners.
Brand impersonation
  • Brand logos and images are downloaded from the web and inserted into emails, adding authenticity and authority to the email.
  • CSS and JavaScript are copied from legitimate brand webpages and used to develop phishing pages, making them indecipherable from the real thing.
  • Legitimate reply-to email addresses from the brand are added to emails to convince the user that the email originates from the brand.
  • URLs that lead to phishing pages are either inserted into the email or hidden in an attachment, such as a PDF or Word doc, to avoid detection from email filters that cannot parse documents.
  • Legitimate URLs that lead to safe webpages are included in the email, along with the phishing link, to fool email filters that may deem the email safe after scanning a number of legitimate URLs.
  • Time-bombed URLs are URLs that lead to safe, legitimate webpages and are then redirected to phishing pages once the email has been delivered.
  • URL shorteners, such as and TinyURL are used to create aliases of the phishing URL to avoid detection from filters scanning for known phishing links.
Image insertion and distortion
  • Slight changes or distortions to images will change their crypotographic hash or “fingerprint.” This can cause a blacklisted phishing email appear like a new, safe email to a filter.
  • QR codes are often inserted in place of phishing URLs to evade filters that cannot extract QR codes. Typically used in sextortion scams, QR codes direct victims to Bitcoin sites where they can make the extortion payment.
  • Text-based images, such as screenshots of emails, are inserted into the email body in place of text. This avoids content scanning by the email filter, which may deem the email safe if there is no content to scan.

Phishing prevention

The best phishing prevention combines people and technology. With new attacks being launched every day and even sophisticated filters sometimes missing attacks, prevention is an ongoing effort that requires constant diligence and a set of anti-phishing technologies:

User training

As attacks become more sophisticated, users must be continually trained in the latest phishing attacks and techniques. In addition to recurring awareness training, contextual training delivered at the moment a user clicks on a malicious email provides instant feedback on the behavior.

Training content that is personalized for the user based on the brand used in the phishing attempt gives the training context, unlike annual trainings that are typically conducted in a group setting and based on generic emails. Ultimately, the training experience will be more significant, and the phishing attempt more memorable than the simulations used in training sessions.

Equally important to phishing prevention is encouraging users to report suspicious emails. This gives IT the opportunity to warn the company about incoming attacks and gives the security operations team the opportunity to use the phishing email to strengthen the email filter.

Artificial intelligence

Unlike fingerprint and reputation-based technology, artificial intelligence identifies unknown attacks by scanning the content, context, and origin of emails. Supervised machine learning algorithms are trained by data scientists to recognize various features of phishing emails. Unsupervised algorithms do not require a trainer but learn over time to recognize anomalies in emails, or suspicious events that differ from the majority of data.

Image detection

Trained to detect images and logos from brands, Computer Vision algorithms can detect slight distortions in images, scan text-based images, and extract QR codes that conceal malicious links. Unlike other machine learning algorithms, Computer Vision algorithms interpret and view images as humans do, recognizing known phishing emails that have been distorted to look like new emails.

Email Security Resources

Vade for M365

Data sheet

Phishing Attacks: Advanced Techniques That Evade Detection

White paper

All Resources

Latest blog post

The Challenges of Phishing Detection (Part 3): Improve Accuracy with Hybrid Models

all blog posts

Get In Touch!
Interested in our product? Contact our team.

Contact Us