Phishing Attacks are Morphing – Changing to Bypass Security Tools

Last Updated: October 8, 2019By
[glossary_exclude]Israel-based Cybersecurity firm Ironscales reports that 42% of the phishing attempts they examined were “polymorphic.” Polymorphism happens when bad actors make slight and often random changes to an email’s artifacts such as its content, subject line, sender name or template. This method allows attackers to quickly modify phishing attacks so that they trick/bypass signature-based email tools, thus allowing different versions of the same attack to get into user inboxes.

Over the past 12 months, Ironscales analyzed data from 200,000+ user inboxes and found 11,733 email phishing attacks that had undergone at least one permutation.


Polymorphic phishing attacks were first identified in 2016. Initially, the attackers just changed the embedded URLs pointing to their landing pages. Phishing pages generally exist as random URLs on the internet (not linked to or referenced by anything else). Typically, they are only deployed for a few hours. The short lifespan of these URLs makes it very difficult for automated scanning and blacklisting software to keep up with them. Thus, early on, a few minor changes in the URL structure was enough to bypass the cyber defense tools.


Defending against polymorphic email phishing attacks is a time-consuming and burdensome task for security teams. Over time, the security tools became smarter and so the phishing tools evolved, implementing new polymorphic methods to stay one step ahead of the tools. The increasing availability of low-cost phishing kits on the Dark Web is complicating the task of defending enterprise networks. Large scale attacks involving thousands of emails are easily blocked by spam filters. Therefore, polymorphic attacks generally begin with a smaller and more targeted standard phishing attack on an organization. Once one employee falls for the attack, the hackers have access to a credentialed account that they can leverage to send a polymorphic attack to other users on the network. The small (polymorphic) changes to each email are meant to prevent automated internal network security tools from screening the messages out.

Once a polymorphic phishing attack is underway, the IT team cannot blacklist the compromised accounts because they are within the organization…and the messages cannot easily be screened because they are not uniform in composition.


Companies are now turning to decentralized and distributed intelligence coupled with non-signature-based email security tools that utilize AI and machine learning to identify similar attacks. AI and machine learning are the heart of behavior analysis systems which use algorithms combined with human feedback to recognize malicious intent. Their sophistication (from learning) increases with time and exposure.[/glossary_exclude]


recent posts

About the Author: Baird Brueseke

Baird Brueseke has 25-plus years of experience leading companies and designing solutions to solve customer problems. He co-founded Wheb Systems which grew from a two-person start up to become Captiva Software; a public company purchased by EMC. After Captiva, Baird’s interests turned to Education and Cybersecurity. He created a cloud-based portal, CLaaS – Computer Lab as a Service - which provides academic institutions the ability to deliver a hands-on computer science laboratory experience to distance learners.