Don't Fight the Filter

Don't Fight the Filter
Photo by Mathyas Kurmann / Unsplash

A contant obstacle for me as a pentester is that pesky email filter blocking phishing emails. Modern email filters are getting better at identifying phishing emails before they reach inboxes. Filters can easily spot recently registered domains, typosquat domains, and recently transferred domains. And even if your email does reach an inbox, there might be web filters in place to stop your phishing link redirect.


So is there a way to bypass these filters? Yes, we can do it pretty easily with trusted sites. My current favorite is the free outlook email account. The free outlook email is great because of the following:
 1. It's free
  2. It takes about 5 minutes to set up
  3. The "@outlook.com" adds some legitimacy. A targeted email address such as "clientorganization-helpdesk@outlook.com" or "First.Last@outlook.com" might reduce suspicion.


Most email filters will trust an @outlook.com email so your phishing email will almost certainly get through. Pair this outlook phishing email with a redirect link to a phishing site sitting on a trusted domain like a google site or my favorite: notion.so. Check out this awesome Twitter thread for more info on this method.  

With this dual threat of trusted sites, you drastically increase your chances of bypassing email and web filters. This is proof that a robust email filter solution might not be enough.  Check out the LOTS project for a full list of trusted sites.

Bonus Points

  • Create a fake email chain and include it in the email to your target. In other words, make up some bogus correspondence and add a "FWD: RE: ...." to the email subject. This makes it look like a legitimate email chain.
  • Microsoft allows a few free emails from the Outlook SMTP server. Therefore, with a GoPhish server,  you can use the outlook SMTP server to deliver emails. Check out how to do that here: