Explore Joe Security Cloud Basic Accounts Contact Us
top title background image

Joe Security's Blog

LEVEL UP: Detecting Phishing with GenAI

Published on: 19.11.2024


 



In today’s phishing landscape, attackers are constantly refining their techniques, making it increasingly difficult for defenders to keep up. Modern phishing schemes are designed with multiple chains, ensuring that only real users - rather than security tools - reach the final phishing payload. 

Attackers often require users to perform multiple steps—such as navigating through landing pages, solving captchas or QR codes, and following complex redirect chains. 

To make detection even more difficult, attackers frequently employ network-based evasion techniques like geolocation filtering and user-agent checks, only displaying the final phishing page to users from specific regions or devices. If these conditions aren’t met, the phishing page may display benign content or block access, as can be seen here:


    

Another challenge is to detect the final phishing payload itself. Traditional solutions rely on computer vision and reference lists to identify impersonated brands, but this approach has significant limitations. Less popular or regional brands often go undetected, because it is not feasible to constantly keep brand lists up to date. This leads to gaps in protection, as can be seen here:



Phishing URL for Deriv, a lesser-known financial platform, not detected by urlscan.io


Using GenAI to tackle Phishing Challenges


To address these challenges, we are proud to release today JoeSandbox AI —a new plugin for Joe Sandbox that combines advanced language models (LLMs) with AI-guided UI automation. Rather than relying on reference lists, Joe Sandbox AI leverages sophisticated language models and contextual analysis to detect phishing attempts across emails, documents and webpages, thereby capturing even the most nuanced threats without brand-specific dependencies.




Detecting Landing Pages


Phishing usually starts with an email containing a link or attached documents containing links. Joe Sandbox AI already kicks in here and performs inference utilizing the visual and text content of the document. By identifying these phishing characteristics directly in documents, our solution can accurately assess the threat even when network-based conditions are in place to hide the payload:




Full Analysis: https://www.joesandbox.com/analysis/1555851/0/html


Just as Joe Sandbox AI can analyze documents, it also excels at identifying phishing attempts directly within emails. In the example below, the email is crafted to look like a purchase confirmation from a known service provider, complete with an invoice to add legitimacy. 

Joe Sandbox AI flagged this as phishing due to several key indicators: it was sent from a generic Gmail address, the subject and sender information do not match any legitimate business pattern, and it includes an attachment with a random filename. In addition, the email contains a link with the urgent text “Transaction Invoice”:





Full Analysis: https://www.joesandbox.com/analysis/1556359/0/html



Reaching the final Phishing Payload


To tackle complex phishing chains Joe Sandbox AI uses the latest multi modal large language (MMLLM) models to simulate user interactions. 

Joe Sandbox AI does not parse the HTML of the webpage but rather depends on the visual content of the page. It understands which parts of the page are buttons and links and which one is most likely clicked by a human. Hence it can navigate JavaScript-based redirects and follow conditional paths that reveal the true phishing content. 

Below, you can watch the AI clicker in action, solving basic captchas and following redirect chains to reach the final phishing page. 






Full analysis: https://www.joesandbox.com/analysis/1530877/0/html



Detecting the final Phishing Payload


Once Joe Sandbox reaches the final phishing page, Joe Sandbox AI conducts a thorough analysis of the page’s structure and behaviour, pinpointing elements commonly used in phishing—such as login forms, credential fields, and brand impersonation techniques. Again, this is achieved by analysing the visual content with an MMLLM.

Joe Sandbox AI effectively identifies phishing pages across both well-known and niche brands. In one example, our solution flagged a phishing page impersonating Meta, by detecting elements designed to mimic official support and login portals. 

In another case, it successfully identified a phishing page targeting Deriv, a lesser-known financial platform. Despite the brand’s lower visibility, Joe Sandbox AI’s advanced analysis detected the same deceptive patterns aimed at capturing user credentials. This demonstrates Joe Sandbox AI’s ability to accurately assess phishing threats, regardless of brand familiarity or popularity.




Full analysis: https://www.joesandbox.com/analysis/1555173/0/html




Full analysis: https://www.joesandbox.com/analysis/1549918/0/html


Detecting inactive Phishing 


Phishing pages have a short lifetime. Often, they are disabled by hosting providers within minutes. Still Joe Sandbox AI can detect them through the document or email analysis or landing page detection. Additionally, Joe Sandbox AI uses LLMs to analyze the URL of the submitted sample directly. Even though the immediate threat of the attack has passed, detecting inactive phishing links still provides valuable insights for security analysts.







Conclusion


Joe Sandbox AI represents a major advancement in phishing detection, addressing the limitations of traditional methods with a robust combination of generative AI and AI-guided UI automation. By eliminating reliance on static brand lists and instead applying contextual analysis across emails, documents, and webpages, Joe Sandbox AI captures nuanced phishing attempts without brand-specific dependencies, ensuring comprehensive threat detection.

Our solution excels at detecting phishing threats at every stage - whether embedded within an email, hidden in a document, or displayed on a final phishing page. Joe Sandbox AI navigates complex redirects, handles JavaScript-driven flows, and even solves basic captchas, enabling it to reach and analyze the final phishing payload that other systems might miss. This capability is critical in capturing the full scope of a phishing attack, even when sophisticated evasion techniques are employed.

Through its advanced capabilities, Joe Sandbox AI empowers security teams to gain complete visibility into phishing schemes, whether targeting widely recognized brands or lesser-known entities. This comprehensive approach not only improves detection accuracy but also provides valuable insights into attacker tactics, helping organizations stay ahead in the constantly evolving phishing landscape.


Would you like to try Joe Sandbox? Register for a free account on Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!