Top 10 Phishing Red Flags Security Teams Miss

Phishing detection has improved significantly over the past decade. Spam filters catch obvious attacks, security awareness training has raised user vigilance, and most organisations have deployed email authentication (SPF, DKIM, DMARC). Yet phishing remains the leading initial access vector in data breaches.

The reason is straightforward: attackers have adapted. Modern phishing campaigns deliberately avoid the obvious red flags that training programmes teach. Here are the 10 indicators that security teams most commonly overlook.

1. Lookalike Domains with Unicode Characters

Attackers register domains that are visually identical to legitimate ones by substituting ASCII characters with Unicode equivalents. The naked eye cannot distinguish paypal.com from pаypal.com (where the second "a" is the Cyrillic character U+0430).

Detection technique: Check the domain in a URL decoder or use the Cyber121 Phishing Analyser [blocked] to inspect the raw domain characters. Punycode representation (e.g., xn--pypal-4ve.com) will reveal the substitution.

2. Legitimate Infrastructure Abuse

Sophisticated attackers send phishing emails from legitimate services — Google Forms, Microsoft SharePoint, Dropbox, DocuSign, or even AWS S3 — to bypass email filtering. These emails pass SPF, DKIM, and DMARC checks because they genuinely originate from those platforms.

Detection technique: Focus on the content and the destination URL rather than the sender authentication. Ask: does this request make sense? Would this organisation use a Google Form to collect credentials?

3. Subdomain Manipulation

A URL like paypal.com.login.verify-account.net is not a PayPal URL — it is a subdomain of verify-account.net. The legitimate-looking portion (paypal.com) is simply a subdomain label, not the actual domain.

Detection technique: Read URLs from right to left, stopping at the first forward slash after the TLD. The registrable domain is the last two (or three, for country-code TLDs) labels before the slash.

4. Redirect Chains and Open Redirectors

Phishing links frequently use open redirectors on legitimate domains to obscure the final destination. A URL beginning with https://accounts.google.com/ServiceLogin?continue=https://malicious.com will appear to originate from Google.

Detection technique: Follow the full redirect chain before evaluating the destination. Tools like urlscan.io or the Cyber121 Phishing Analyser will follow redirects and display the final landing page.

5. Recently Registered Domains

Phishing infrastructure is typically set up days or weeks before a campaign. A domain registered within the past 30–90 days sending email claiming to be a major financial institution is inherently suspicious, regardless of whether it passes authentication checks.

Detection technique: Check domain registration date via WHOIS lookup. The Cyber121 Phishing Analyser [blocked] includes domain age estimation as part of its automated analysis.

6. Mismatched or Missing DMARC Policy

Many organisations publish SPF and DKIM records but set DMARC to p=none (monitoring only) rather than p=quarantine or p=reject. Attackers specifically target domains with weak DMARC policies for spoofing campaigns.

Detection technique: Check the sender domain's DMARC record: dig TXT _dmarc.example.com. A p=none policy means the domain owner has not enforced authentication — spoofed emails from this domain may reach inboxes._

7. Credential Harvesting Pages Hosted on HTTPS

The presence of a padlock icon (HTTPS) does not mean a website is safe — it only means the connection is encrypted. Attackers routinely obtain free TLS certificates from Let's Encrypt for their phishing pages.

Detection technique: Evaluate the domain, not the padlock. A phishing page at https://secure-login-paypal.com is still a phishing page. Use VirusTotal or Google Safe Browsing to check the URL reputation.

8. HTML Obfuscation in Email Body

Attackers embed invisible characters, zero-width spaces, or HTML comments within keywords to break pattern-matching in email security gateways. The rendered email looks normal, but the raw HTML contains obfuscated text that bypasses keyword filters.

Detection technique: View the raw HTML source of suspicious emails. Look for excessive HTML entities, zero-width characters (​), or comments interspersed within words.

9. Voicemail and MFA Fatigue Phishing

Two increasingly common variants that bypass traditional email filters:

• Voicemail phishing: An email with an audio attachment or a link to a "voicemail" that redirects to a credential harvesting page.
• MFA fatigue: Attackers repeatedly push MFA approval requests to a victim's phone, hoping they will eventually approve one out of frustration.

Detection technique: Train users to verify unexpected MFA requests by contacting the requester through a known channel. Implement number matching in MFA apps to prevent blind approvals.

10. Spear Phishing with OSINT-Sourced Context

Generic phishing is easy to spot. Spear phishing — targeted attacks using personal information sourced from LinkedIn, company websites, or previous data breaches — is significantly harder. An email referencing your manager's name, your current project, or a recent company announcement feels authentic.

Detection technique: This is primarily a process problem, not a technical one. Implement a verification procedure for any email requesting financial transactions, credential resets, or sensitive data transfers — regardless of how legitimate it appears. Always verify through a separate communication channel.

Building a Detection Framework

Catching these advanced indicators consistently requires a structured investigation process, not ad-hoc analysis. The Cyber121 Phishing Investigation Toolkit [blocked] provides a 10-phase investigation workflow covering all of the above techniques, plus an Excel log for documenting IOCs and a quick reference card for your analysts' desks.

For automated first-pass analysis, the Cyber121 Phishing Analyser [blocked] checks sender domains against DNS blacklists, verifies SPF/DKIM/DMARC, estimates domain age, and provides an AI-powered verdict — all in seconds.

Published by the Cyber121 team. Cyber121 is a cybersecurity community platform providing free security tools, CVE intelligence, and professional training resources.