The days of registering a lookalike domain and blasting a generic credential harvester are over. Modern enterprise email security — Proofpoint, Mimecast, Microsoft Defender for Office 365 — detonates links in sandboxes, evaluates sender reputation in real time, and blocks based on content heuristics. This post covers how we build phishing infrastructure that gets through it.
Domain Ageing and Reputation
Fresh domains are immediately suspicious to SEGs. We register domains 60-90 days before they're needed and warm them up with legitimate-looking traffic — newsletter subscriptions, social media profiles, a basic website with crawlable content. By campaign time, the domain has a reputation score that doesn't trigger immediate blocking.
DKIM, SPF, and DMARC Alignment
Full email authentication configuration is table stakes. A phishing email that fails DMARC alignment will be quarantined or rejected by properly configured mail infrastructure. Configure SPF, DKIM signing, and DMARC with a p=none policy on new domains to avoid immediate rejections while building reputation.
Link Sandbox Evasion
SEG sandboxes follow redirect chains and evaluate landing pages. Techniques we use:
- Time-based serving — serve a benign page to the first visit from any given IP, then the payload on subsequent visits
- User-agent filtering — serve benign content to known scanner user agents
- Geofencing — only serve the payload to IPs in the target's country or ASN
Reverse Proxy Phishing Frameworks
Reverse proxy frameworks that sit between the target and the legitimate service defeat MFA by capturing session tokens in real time. The user authenticates to what looks like the real site — because it is the real site, proxied — and the attacker captures the authenticated session cookie before the victim completes the login flow.