Phishing attacks are becoming more elusive and more dangerous. To extend the life of their campaigns and increase success rates, threat actors employ evasion techniques designed to hide malicious content from security teams. By avoiding detection, attackers boost their chances of reaching more victims and profiting from compromised accounts or stolen data.
One increasingly common approach is restricting access based on user interaction — a tactic that relies on behavioral cues to determine whether a visitor is a real target or a security analyst. Let’s explore this method and the three primary ways attackers use it to bypass traditional defenses.
Restricting by Interaction: How Behavior Shapes Access
Cybercriminals study user behavior carefully. They know how a legitimate victim is expected to interact with their bait — typically by clicking a link embedded in a phishing email or message. If a visitor’s behavior deviates from that expected flow (for example, typing the URL directly or using an automated tool), the attacker may withhold the malicious content altogether.
This type of evasion is designed to fool researchers, sandboxes, or security crawlers that don’t follow the "normal" path to the malicious destination.
Attackers commonly use three interaction-based restriction methods:
1. Unique Passkey
One of the most effective evasion techniques involves embedding a unique passkey in the phishing lure, usually in the form of a query string. For instance, a malicious URL might include something like ?login-page. If a victim clicks the link as intended, the passkey is passed through, and the malicious content is delivered. If someone visits the base domain directly (e.g., without the query string), the threat never appears.
This technique is particularly effective at evading security researchers, who might uncover the domain but not the exact passkey required to access the payload. As a result, the page appears safe — even though it’s anything but.
2. Single-Visit or IP Address
Another tactic limits access to one visit per victim. If someone tries to revisit the same phishing link — or if multiple different users or bots access it from the same IP — the threat is concealed.
Attackers may enforce this restriction by:
- Logging and filtering by IP address
- Analyzing browser, device, or OS fingerprints
- Placing long-lived tracking cookies in the browser
These checks help attackers distinguish between their intended victims and unwanted visitors like automated scanners or cybersecurity teams.
3. Sessions
Session control is another way attackers ensure only legitimate victims complete the full phishing journey. This technique relies on a specific sequence of interactions, clicking a lure, visiting the landing page, moving to the next stage, and so on.
To enforce this flow, attackers may drop a tracking cookie or token during the initial page visit. If a user skips a step or visits the pages out of order (as security tools often do), the site won’t deliver the malicious content. Instead, it will show a harmless placeholder or simply block access.
Why These Techniques Matter
These evasion strategies aren’t just clever; they’re effective. By hiding threats from researchers, bots, and traditional security tools, attackers can keep phishing sites active longer and maximize their return. Worse, these methods make it harder for brands and security teams to detect, analyze, and take down malicious campaigns before damage is done.
Understanding how attackers use interaction-based evasion is essential for enhancing threat visibility and defending your brand. Security solutions must account for these evasive behaviors in order to proactively uncover phishing campaigns that are engineered to remain hidden.