Delayed Phishing and How to Determine It

Delayed Phishing and How to Determine It
The Siliconreview
05 Febuary, 2021

Phishing links in emails to company employees are often activated after the initial verification. But they can and should still be caught. Of course, you don’t get such a phishing email if you receive the letter about the registration bonus on 20Bet. Yet, sometimes such situations happen, and here is how you can determine it.

What Is a Delayed Phishing

Delayed phishing is an attempt to lure a victim to a malicious or fake site using the Post-Delivery Weaponized URL technique. It boils down to replacing the content of a site with malicious content after the email has been delivered to the victim. In other words, it receives an email with a link that leads nowhere or to a legitimate site that may have been compromised but doesn't yet contain malicious content. In this way, the email easily passes all filters. The algorithms find the URL in the text, scan the site, see no danger in it, and let the message through to the victim's mailbox.

After delivery, the attackers bring up a previously prepared phishing page or activate malicious content on a previously harmless site. Any trick can be found there, from a reproduced interface of a banking site to a browser exploit that tries to download malware to the victim.

How Do Attackers Work

To fool an algorithm, attackers use one of three methods:

  • A simple link. This leads to an attacker-controlled site, either a re-created or hacked and hijacked site. Cybercriminals prefer hijacked sites because they tend to have a positive reputation, which is a distinct plus in terms of security algorithms. At the time of delivery behind the link is either a meaningless stub or an error page with a 404 code
  • A short There are enough services on the Internet that allow you to make a short URL from a long one. They are conceived to make life easier for users: they can share a short, easy to remember link, which during the transition turns into a full-fledged. That is, a simple redirect is triggered. Some services allow users to change content hidden inside a short link. Attackers use them. During message delivery, the URL leads to a legitimate site and later redirects to a malicious site
  • Randomized short link. An even rarer case. Some of the link shortening services allow you to set probabilistic redirects. That is if you follow the link you have a 50% chance of getting to and a 50% chance of getting to a phishing site. Cybercriminals use these links to run the usual short-link scenario described above, but when they activate a redirect to a malicious page they substitute a probability of getting to a legitimate site. Apparently to confuse the auto-gathering software

When Does a Link Become Malicious?

More often than not, attackers make the assumption that their victim is sleeping at night. Therefore phishing emails are sent after midnight and become malicious a few hours later, closer to dawn. If you look at the statistics of anti-phishing programs, you will see a peak around 7-10 a.m. This is when users who have woken up are clicking on links sent overnight which have in fact already become malicious.

We shouldn't forget about targeted phishing. If attackers are targeting a particular victim, they can study their daily routine, find out when they read their mail and activate a malicious link by adjusting to their schedule.

How to Catch Delayed Phishing

We need to prevent a phishing link from reaching the user, the best thing to do would be to recheck emails that are already in the mailboxes. And in some cases, this is realistic. For instance, if your organization uses the Microsoft Exchange mail server.

If the sender's address ends in, you should be wary. A large company usually has its own email domain.

If you are addressed as "Dear Customer," there is a good chance that the letter is fake and you shouldn’t open it. Banks and other large organizations know what their customers' names are.

But even if you are addressed by name, never respond to a request to send your username, password, or other personal information.