Summary
Phishing emails are successfully landing in Gmail's primary inbox due to a multifaceted approach employed by attackers, combined with inherent limitations in filter technology and human vulnerabilities. Spammers actively invest in evading filters through sophisticated techniques like hashbusters, extensive testing, reputation manipulation, and the use of rotating domains and accounts. They also exploit legitimate infrastructure, sometimes successfully passing authentication checks like SPF, DKIM, and DMARC, and utilize methods like base64 encoding to obfuscate their messages. Social engineering plays a significant role in crafting convincing emails that bypass user suspicion, particularly in personalized attacks. Additionally, smaller, targeted campaigns can evade volume-based detection systems. User settings, changes in sender reputation, and zero-day exploits also contribute to filter bypass. Finally, human error, stemming from fatigue, stress, or lack of awareness, remains a crucial factor. Reporting suspicious emails, enabling multi-factor authentication, and educating users are critical for mitigation.
Key findings
- Evolving Evasion Techniques: Spammers invest heavily in circumventing spam filters by using sophisticated techniques, including hashbusters and reputation services.
- Legitimate Infrastructure Abuse: Phishing emails can originate from legitimate platforms, even passing SPF, DKIM, and DMARC checks, making them harder to detect.
- Social Engineering Effectiveness: Social engineering tactics are highly effective in creating convincing phishing emails that deceive users.
- Targeted Campaign Success: Smaller, targeted phishing campaigns often evade detection by volume-based filters.
- Human Vulnerability: Human error and fatigue significantly increase the risk of falling for phishing scams.
- Reporting Importance: User reporting is critical for improving the effectiveness of spam filters.
- Compromised Infrastructure: Attackers compromise legitimate sending infrastructures to send phishing emails.
- Personalization: Personalized phishing attacks are harder to identify.
- Multi-Layered Attacks: Phishing attacks combine URL and attachment-based techniques.
Key considerations
- Advanced Filter Development: Develop and deploy more sophisticated spam filters capable of detecting advanced evasion techniques and nuanced social engineering.
- User Education Enhancement: Provide comprehensive and ongoing education to users on recognizing and reporting phishing attempts.
- Multi-Factor Authentication Implementation: Mandate and enforce multi-factor authentication (MFA) for all accounts to mitigate the impact of compromised credentials.
- Account Security Measures: Implement robust account security measures to prevent account compromise and unauthorized access.
- Incident Response Planning: Establish and regularly update an incident response plan to address phishing attacks effectively.
- Security Awareness Training: Provide ongoing security awareness training to educate employees and users about phishing risks and best practices.
- Email Authentication Protocols: Implement and enforce email authentication protocols like SPF, DKIM, and DMARC to verify the authenticity of sending domains.
- Email provider filter improvement: Request and provide feedback to email providers on how to enhance their filtering logic.
- Whitelisting caution: Do not automatically trust whitelisted senders.
What email marketers say
11 marketer opinions
Phishing emails are landing in Gmail primary inboxes due to a combination of factors including evolving spammer tactics, sophisticated spoofing techniques, compromised accounts, personalized attacks, smaller targeted campaigns, and human error. Spammers are continuously adapting to bypass filters by using methods like mimicking legitimate emails, leveraging current events, and compromising trusted sources. The volume and sophistication of phishing attempts also overwhelm spam filters, and smaller, targeted campaigns often evade detection. Moreover, human factors, such as user fatigue or stress, increase the likelihood of falling for these scams. Phishers use techniques like spoofing email addresses and creating lookalike domains.
Key opinions
- Evolving Tactics: Phishers constantly evolve their tactics to bypass spam filters, making it difficult for algorithms to keep up.
- Sophisticated Spoofing: Phishers use sophisticated spoofing techniques, mimicking legitimate emails and domains to deceive recipients.
- Compromised Accounts: Attackers compromise legitimate email accounts, sending phishing emails from trusted sources.
- Personalized Attacks: Personalized phishing attacks, tailored to the recipient, are more likely to bypass spam filters due to their legitimacy.
- Targeted Campaigns: Smaller, targeted phishing campaigns evade volume-based detection filters.
- Human Error: Human error, influenced by fatigue or stress, increases susceptibility to phishing scams.
- Multi-layered Attacks: Multi-layered phishing attacks combining URL and attachment-based attacks are harder to detect.
Key considerations
- Stay Updated: Be aware of the latest phishing tactics and techniques.
- Verify Senders: Always verify the sender's identity, especially for unusual or urgent requests.
- Enable MFA: Enable multi-factor authentication (MFA) to add an extra layer of security to your accounts.
- Report Suspicious Emails: Report suspicious emails to help improve spam filters.
- Educate Users: Educate employees and users about phishing risks and best practices.
- Implement robust security measures: Make sure your team implements a system where they can catch phishing emails before they hit inboxes.
Marketer view
Email marketer from Cloudflare explains that if an attacker compromises a legitimate email account, they can send phishing emails from a trusted source, increasing the likelihood of bypassing spam filters. These are known as Business Email Compromise (BEC) attacks.
5 May 2025 - Cloudflare
Marketer view
Marketer from Email Geeks shares that they were receiving phishing emails daily from January 30 to February 17, originating from services like Microsoft and Sendgrid, but have since stopped receiving them.
20 Oct 2022 - Email Geeks
What the experts say
5 expert opinions
Phishing emails bypass Gmail's primary inbox filters due to sophisticated techniques employed by spammers. These techniques include investing significant effort in evading filters, employing hashbusters, testing extensively, using reputation services, rotating domains and accounts, and using base64 encoding. Additionally, analysis shows phishing emails can originate from legitimate services like Microsoft O365, even passing SPF, DKIM, and DMARC checks. Compromised sending infrastructures and the significance of human error are also contributing factors, emphasizing the need for user education to recognize and report phishing attempts.
Key opinions
- Filter Evasion Techniques: Spammers invest heavily in techniques like hashbusters, testing, and reputation services to evade spam filters.
- Legitimate Source Spoofing: Phishing emails can originate from legitimate platforms, even passing standard authentication checks (SPF, DKIM, DMARC).
- Rotation of Infrastructure: Spammers rotate domains and accounts to avoid detection.
- Compromised Infrastructure: Attackers compromise legitimate sending infrastructures to send phishing emails.
- Human Error Factor: Human error plays a significant role in the success of phishing attacks.
Key considerations
- Advanced Filter Detection: Email providers need to develop more advanced filters to detect sophisticated evasion techniques, including those that pass authentication checks.
- User Education: Educate users on how to recognize and report phishing attempts.
- Account Security: Implement stronger security measures to prevent account compromise.
- Incident Response: Have a clearly documented incident response process to take action on phishing attempts.
- Stay vigilant: Encourage vigilance and caution when reviewing emails, particularly those requesting sensitive information.
Expert view
Expert from Spam Resource emphasizes the importance of educating users to recognize phishing attempts and providing them with the tools to report suspicious emails, as human error is a significant factor in successful phishing attacks.
13 Apr 2025 - Spam Resource
Expert view
Expert from Word to the Wise shares that attackers can compromise legitimate sending infrastructures, leading to phishing emails originating from seemingly trustworthy sources, making detection more challenging for filters and recipients.
15 Dec 2023 - Word to the Wise
What the documentation says
5 technical articles
Phishing emails are landing in Gmail primary inboxes because they bypass initial filters due to various factors. These include new phishing tactics, changes in sender reputation, and user settings overriding filters. Additionally, advanced campaigns use zero-day exploits and polymorphic malware to evade detection. Social engineering plays a crucial role in making these emails appear legitimate, reducing user suspicion. Reporting phishing emails helps improve Gmail's filters, and enabling multi-factor authentication (MFA) can protect accounts even if credentials are compromised.
Key findings
- Filter Bypass: Phishing emails bypass initial filters due to tactics, reputation changes, and user settings.
- Advanced Techniques: Advanced campaigns use zero-day exploits and polymorphic malware to evade detection.
- Social Engineering: Phishing attacks incorporate social engineering to appear legitimate.
- Importance of Reporting: Reporting phishing emails improves filter accuracy.
- MFA Protection: Multi-factor authentication (MFA) adds an extra layer of security, even if credentials are compromised.
Key considerations
- User Reporting: Encourage users to report suspicious emails.
- Review User Settings: Review and adjust user email settings to strengthen filter effectiveness.
- Implement MFA: Enable multi-factor authentication for all accounts.
- Stay Updated: Keep software and systems updated to patch vulnerabilities exploited in zero-day attacks.
- Training: Educate users about social engineering tactics used in phishing attacks.
Technical article
Documentation from Microsoft details that phishing emails can land in your inbox if they bypass initial filters, often due to sender reputation changes, new phishing tactics, or user settings that override filter decisions.
18 May 2023 - Microsoft
Technical article
Documentation from Proofpoint explains that advanced phishing campaigns use techniques like zero-day exploits and polymorphic malware to evade detection. These techniques are constantly evolving.
3 Dec 2022 - Proofpoint
How can a phishing email pass SPF and DKIM authentication checks?
How can email senders and users prevent and identify phishing emails?
How can normal people identify phishing emails when services rewrite headers?
How do I troubleshoot Gmail phishing email warnings?
What are potential reasons for spam or fake email addresses in a marketing email list?
Why are fully authenticated emails marked as 'Unverified Sender' in Outlook/Hotmail?
