Cybercriminals use sophisticated evasion tactics to outsmart security scanners and human detection — prolonging the life of phishing campaigns. These techniques are often layered for maximum effect. In this post, we spotlight one such method: active evasion, where access is restricted based on device type to block non-targets and avoid exposure.
Restricting by Device
Active evasion refers to techniques attackers use to hide threats from anyone outside their intended target audience. One common method involves filtering access by device type, operating system, or browser. Once this data is collected, threat actors decide whether to deliver the malicious payload, or disappear entirely to avoid detection.
Restricting non-targets by device is accomplished by accessing the following information:
- User-agent string
- Screensize or viewport
- Device motion and orientation events
User-Agent Blocking
User-agent (UA) strings identify the technology used to access a website, including the device type, operating system, and browser. This information helps servers deliver the appropriate version of a site — like loading a mobile-optimized view when you're browsing from a phone instead of a desktop.
By analyzing this information, threat actors can tailor their attacks to specific targets. For example, if the goal is to exploit a Mac vulnerability, access will be restricted to users on Mac devices, while others are blocked to avoid detection or wasted effort.
User-agent blocking is the most common method of restricting non-target access to malicious material.
Screensize or Viewport
Another device-based evasion method involves profiling users by screen size or viewport. Using JavaScript, threat actors gather detailed information — such as window height and width — that goes beyond what user-agent strings reveal. This allows them to infer the type of device being used and decide whether to launch the attack or stay hidden.
This data can also help detect virtual environments, such as headless browsers often used by security teams to analyze phishing sites, prompting the attacker to withhold malicious content and avoid detection.
Gyroscope
Threat actors also use data from mobile device sensors to determine how an attack should behave. This is most commonly seen with device motion and orientation events such as the gyroscope or accelerometer.
These sensors activate when a mobile browser or app is in use, helping threat actors distinguish between real mobile devices and emulated environments. A valid sensor response strongly signals a genuine mobile device, prompting the attacker to proceed with their intended behavior.
Evasion tactics like these allow cybercriminals to extend the lifespan and profitability of phishing campaigns. To defend against these adaptive threats, security teams need visibility into evasion techniques and the ability to detect them in real time.