For decades, email security has centered on filtering malicious messages, blocking attachments, and, more recently, enforcing authentication protocols like SPF, DKIM and DMARC.
Attackers, sadly, can now bypass these defenses. Instead of breaking into your inbox, they steer around it by exploiting domain infrastructure, DNS misconfigurations, and social-media trust to launch highly effective
phishing and
business email compromise (BEC) campaigns.
Malicious messages without payloads or embedded links are sent from hijacked subdomains. Spoofed social-media accounts cajole customers into giving up sensitive company or personal information. Phishing pages on lookalike domains lure in the unwary.
The result is a new threat landscape where
brand impersonation, not inbox infiltration, is the primary attack vector — and your brand's reputation, as well as your organization's assets, are on the line.
How attackers bypass traditional email security
Modern phishing campaigns can dodge detection by avoiding red flags like attachments or malicious links in email messages. They exploit trust rather than technical vulnerabilities.
One tactic is a classic confidence scheme: Draw the target into an ongoing dialogue lasting days or even weeks and build up a rapport through pleasant interactions before subtly moving in for the kill.
"They're pivoting away from the typical phishing and virus-linking attachments and gearing more towards what I like to call
conversational phishing, which has no weaponized payload, no nothing," explains Faisal Misle, Technical Lead at email-security provider Red Sift. "It's kind of like a long con."
These schemes may start with routine business requests, such as a polite payment reminder or a job application, and gradually escalate into financial manipulation. Because the messages carry no malware or suspicious links, they can often evade secure email gateways.
"It pretty much goes under the radar because the HR and finance people are not particularly tech-savvy and they're dealing with three thousand things at once, and it's not an unusual request," explains Misle.
These schemes are propped up by external infrastructure designed to fool the target. Lookalike domains can host convincing login pages — for example, "micro-soft.com" instead of "microsoft.com." Adversaries may send emails from hijacked subdomains (e.g. "attacker.microsoft.com") in a technique that Red Sift calls
SubdoMailing.
Social media adds another layer of deception. Fake executive profiles or customer service accounts can be used for reconnaissance or direct fraud, as can hijacked social-media accounts.
Real-world incidents, such as a recent incident in which
a bogus trucking company stole $400,000 of fresh lobster from Costco, show how simple domain spoofing can enable large-scale theft without ever touching a corporate inbox.
"Besides stealing your financial information, it also damages your reputation," says Misle. "Once it gets discovered or things start going missing, whether it's money or lobsters, it's a hit to your reputation."
How to implement a layered defense strategy
Defending against domain-stealing and domain-spoofing threats requires
a layered domain-defense approach. The
DMARC email security solution makes sure that legitimate domains can't be spoofed directly, but it's only the starting point.
The next step is to extend protection to your DNS listings and domain infrastructure. Continuous DNS monitoring can spot misconfigurations such as dangling records that could allow subdomain hijacking.
Automated domain discovery helps detect lookalike domains before they can be weaponized. Tools like Red Sift's
OnDMARC and
DNS Guardian combine authentication and DNS hygiene to reduce exposure.
Equally important is monitoring your brand. Attackers can easily create
fake social-media profiles or register deceptive domains that look like yours, but early detection will let you rapidly take them down.
"Spinning up fake profiles is trivial, and you can't really stop it, but you can get ahead of it," says Misle. "Detect quick and neutralize quick."
Solutions such as Red Sift's
BrandTrust and
attack surface management shine a light on these external threats, including whether any of your organization's digital certificates, essential for secure online transactions, have been compromised.
"With certificate asset discovery," Misle adds, "you can see if somebody's spinning up assets using your name, or they may have compromised a CA [certificate authority] to get certificates on your behalf."
Finally, make human verification part of your regular workflows. If you're getting a request for a high-risk or high-value transaction, secondary validation, such as a phone call or another out-of-band communications, remains one of the most effective defenses against BEC.
"Always double-verify," says Misle. "Even if it's somebody you speak with weekly, always double verify via a second option, whether that's a text message, or a fresh e-mail to the address you know works, or a phone call."
And if it's suspiciously well-written yet strangely impersonal, that should raise eyebrows too.
"
AI has a very distinctive way of phrasing certain things," he adds. "If it sounds like it could be machine-generated, maybe do a double take and again perform additional validation."
Why security teams need full attack surface visibility
Attackers have access to tools, often powered by AI, that let them quickly map your organization's external-facing assets.
"AI is giving full attack-surface visibility to the bad guys," says Misle. "You should get the same level of visibility the bad guys have so that you can know where your weaknesses are."
"Because AI's been commoditized," he adds, "anybody can now poke holes in your attack surface that were previously reserved for nation-state hackers with unlimited resources."
Email is no longer the primary battleground of phishing or business email compromise. It's just one vector among many. Domains, DNS records, certificates, and social-media accounts are all potential entry points, and security teams that focus solely on inbox protection leave critical gaps exposed.
To plug these holes, your organization needs to adopt continuous attack surface monitoring, integrating data from certificate transparency logs, DNS records and external asset inventories. With this wider scope, you can enable proactive defenses and your teams can spot and stop threats before they reach users.
Phishing and BEC attacks have shifted from exploiting inbox vulnerabilities to exploiting brand trust. Effective defense requires broadening your domain-authentication scope beyond email messages to encompass the entire digital presence of a corresponding organization. Protecting the inbox isn't enough when the battle is being fought everywhere your brand exists.
