Another challenge is to detect the final phishing payload itself. Traditional solutions rely on computer vision and reference lists to identify impersonated brands, but this approach has significant limitations. Less popular or regional brands often go undetected, because it is not feasible to constantly keep brand lists up to date. This leads to gaps in protection, as can be seen here:
To address these challenges, we are proud to release today JoeSandbox AI —a new plugin for Joe Sandbox that combines advanced language models
(LLMs) with AI-guided UI automation. Rather than relying on reference lists,
Joe Sandbox AI leverages sophisticated language models and contextual analysis
to detect phishing attempts across emails, documents and webpages, thereby capturing
even the most nuanced threats without brand-specific dependencies.
Phishing usually starts with an email containing a link or attached documents containing links. Joe Sandbox AI already kicks in here and performs inference utilizing the visual and text content of the document. By identifying these phishing characteristics directly in documents, our solution can accurately assess the threat even when network-based conditions are in place to hide the payload:
Full Analysis: https://www.joesandbox.com/analysis/1555851/0/html
Just as Joe Sandbox AI can analyze documents, it also excels at identifying phishing attempts directly within emails. In the example below, the email is crafted to look like a purchase confirmation from a known service provider, complete with an invoice to add legitimacy.
Joe Sandbox AI flagged this as phishing due to several key indicators: it was sent from a generic Gmail address, the subject and sender information do not match any legitimate business pattern, and it includes an attachment with a random filename. In addition, the email contains a link with the urgent text “Transaction Invoice”:
Full Analysis: https://www.joesandbox.com/analysis/1556359/0/html
To tackle complex phishing chains Joe Sandbox AI uses the latest multi modal large language (MMLLM) models to simulate user interactions.
Joe Sandbox AI does not parse the HTML of the webpage but rather depends on the visual content of the page. It understands which parts of the page are buttons and links and which one is most likely clicked by a human. Hence it can navigate JavaScript-based redirects and follow conditional paths that reveal the true phishing content.
Below, you can watch the AI clicker in action, solving basic captchas and following redirect chains to reach the final phishing page.
Once Joe Sandbox reaches the final phishing page, Joe
Sandbox AI conducts a thorough analysis of the page’s structure and behaviour,
pinpointing elements commonly used in phishing—such as login forms, credential
fields, and brand impersonation techniques. Again, this is achieved by
analysing the visual content with an MMLLM.
Joe Sandbox AI effectively identifies phishing pages across both well-known and niche brands. In one example, our solution flagged a phishing page impersonating Meta, by detecting elements designed to mimic official support and login portals.
In another case, it successfully identified
a phishing page targeting Deriv, a lesser-known financial platform. Despite the
brand’s lower visibility, Joe Sandbox AI’s advanced analysis detected the same
deceptive patterns aimed at capturing user credentials. This demonstrates Joe
Sandbox AI’s ability to accurately assess phishing threats, regardless of brand
familiarity or popularity.
Full analysis: https://www.joesandbox.com/analysis/1555173/0/html
Full analysis: https://www.joesandbox.com/analysis/1549918/0/html
Phishing pages have a short lifetime. Often, they are disabled by hosting providers within minutes. Still Joe Sandbox AI can detect them through the document or email analysis or landing page detection. Additionally, Joe Sandbox AI uses LLMs to analyze the URL of the submitted sample directly. Even though the immediate threat of the attack has passed, detecting inactive phishing links still provides valuable insights for security analysts.
Joe Sandbox AI represents a major advancement in phishing
detection, addressing the limitations of traditional methods with a robust
combination of generative AI and AI-guided UI automation. By eliminating
reliance on static brand lists and instead applying contextual analysis across
emails, documents, and webpages, Joe Sandbox AI captures nuanced phishing
attempts without brand-specific dependencies, ensuring comprehensive threat
detection.
Our solution excels at detecting phishing threats at every
stage - whether embedded within an email, hidden in a document, or displayed on a
final phishing page. Joe Sandbox AI navigates complex redirects, handles
JavaScript-driven flows, and even solves basic captchas, enabling it to reach
and analyze the final phishing payload that other systems might miss. This
capability is critical in capturing the full scope of a phishing attack, even
when sophisticated evasion techniques are employed.
Through its advanced capabilities, Joe Sandbox AI empowers
security teams to gain complete visibility into phishing schemes, whether
targeting widely recognized brands or lesser-known entities. This comprehensive
approach not only improves detection accuracy but also provides valuable
insights into attacker tactics, helping organizations stay ahead in the
constantly evolving phishing landscape.
Would you like to try Joe Sandbox? Register for a free account on Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!