Doubly Dangerous: Evading Phishing Reporting Systems by Leveraging Email Tracking Techniques
No ratings
Presented at USENIX Security 2025 by
Given the significant threat posed by email as a highly prevalent phishing attack vector, we undertake the first study focused on real-world phishing email reporting systems. Our key idea in performing this study is to repurpose email tracking, a well-known privacy threat vector, for profiling and evading anti-phishing systems employed by popular email services. Our results show that the reporting systems of all major email services we tested are vulnerable to evasive phishing attacks affecting more than 2 billion users worldwide. We propose several countermeasures that email service operators can adopt to help ameliorate this issue in the future. We disclosed our findings to the affected email providers which resulted in remedial changes and a vulnerability reward.