Even if they were allowed to use the real target's address, the analysts comment that some campaigns go a step further, sending a validation code or link to the victim's inbox after they enter a valid email on the phishing page. However, with this new technique, invalid or test email addresses inputted by researchers now display an error or redirect them to benign sites. This impacts automated security crawlers and sandboxes used in research, reducing detection rates and prolonging the lifespan of phishing operations. Phishing actors are employing a new evasion tactic called 'Precision-Validated Phishing' that only shows fake login forms when a user enters an email address that the threat actors specifically targeted. The second method is to deploy custom JavaScript in the phishing page, which pings the attacker's server with the email address victims type on the phishing page to confirm whether it's on the pre-harvested list. The ramifications of this are serious for email security tools, especially those relying on traditional detection methods, are serious, as they are more likely to fail to alert targets of phishing attempts. As phishing campaigns adopt dynamic input validation, defenders must adopt new detection strategies that emphasize behavioral fingerprinting and real-time threat intelligence correlation to stay ahead of the threat actors. Unlike traditional mass-targeting phishing, this new method uses real-time email validation to ensure phishing content is shown only to pre-verified, high-value targets. The first involves abusing third-party email verification services integrated into the phishing kit, which checks the validity of the victim's address in real time via API calls. Cofense explains that bypassing this by simply entering the email address of the person who reported the phishing attempt to them is often impossible because of usage restrictions imposed by their clients. When researching phishing sites, it is common for researchers to enter fake email addresses or ones under their control to map the credential theft campaign. "Cybersecurity teams traditionally rely on controlled phishing analysis by submitting fake credentials to observe attacker behavior and infrastructure," explains Cofense. To proceed with the phishing process, victims need to enter the code they received in their inbox, which is beyond the access of security analysts. According to Cofense, the threat actors use two main techniques to achieve real-time email validation. Although not overly advanced or particularly sophisticated, the new tactic excludes all non-valid targets from the phishing process, thus blocking their visibility into the operation. Email security firm Cofense, which documented the rise in adoption of this new tactic, noted that it has created a significant practical problem for them.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 09 Apr 2025 13:50:12 +0000