Anish Chand, Louisiana State University; Nick Nikiforakis, Stony Brook University; Phani Vadrevu, Louisiana State University
Given the significant threat posed by email as a highly prevalent phishing attack vector, we undertake the first study focused on real-world phishing email reporting systems. Our key idea in performing this study is to repurpose email tracking, a well-known privacy threat vector, for profiling and evading anti-phishing systems employed by popular email services. Our results show that the reporting systems of all major email services we tested are vulnerable to evasive phishing attacks affecting more than 2 billion users worldwide. We propose several countermeasures that email service operators can adopt to help ameliorate this issue in the future. We disclosed our findings to the affected email providers which resulted in remedial changes and a vulnerability reward.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
author = {Anish Chand and Nick Nikiforakis and Phani Vadrevu},
title = {Doubly Dangerous: Evading Phishing Reporting Systems by Leveraging Email Tracking Techniques},
booktitle = {34th USENIX Security Symposium (USENIX Security 25)},
year = {2025},
isbn = {978-1-939133-52-6},
address = {Seattle, WA},
pages = {3181--3200},
url = {https://www.usenix.org/conference/usenixsecurity25/presentation/chand},
publisher = {USENIX Association},
month = aug
}
