Threat Type

Spear Phishing: Targeted Email Attacks That Rule-Based Filters Miss

Spear phishing emails are crafted for one specific person. They reference real context, impersonate known contacts, and arrive from fresh domains with no prior reputation — designed to defeat signature-based detection.

How spear phishing attacks are constructed

Understanding the attack pattern helps explain why traditional filters fail and why LLM-based analysis catches what they don't.

Generic attack pattern (no real victims or attackers named)

An attacker identifies a target employee — typically someone in finance, HR, or with system access — using publicly available information (LinkedIn, company website, press releases). They register a domain that looks similar to a known vendor or internal domain, aged just enough to avoid immediate blocklist flags. They craft an email that references a real project or relationship, uses the target's name, and creates urgency around a plausible operational request (update banking details, approve an invoice, verify credentials for a system). The email passes SPF/DKIM because the attacker controls the sending domain. It has no known-bad signature. It arrives clean in the inbox.

Why rule-based filters miss it

The sending domain is fresh — not on any blocklist. The authentication records pass. The email body contains no known-bad links (the malicious link may be inserted only if the recipient replies, or the URL resolves cleanly on first scan). The writing style matches the impersonated person. There are no indicators that any prior detection rule was built to catch. Without semantic understanding of the email's intent, this attack is invisible to rule-based systems.

How Phishaver detects spear phishing

Header analysis

SPF/DKIM/DMARC alignment combined with sender domain age scoring. A domain registered within the last 30 days impersonating a known vendor gets a high lookalike proximity score even if authentication passes.

LLM body analysis

Semantic scoring for urgency manufacturing, executive impersonation patterns, financial request framing, and context specificity signals. Catches novel phrasing without a prior signature.

Domain lookalike proximity

Edit-distance and visual similarity scoring against your tenant's known-sender list. Catches [email protected] when your known contact is @companysecurity.com — even with different TLD.

URL chain evaluation

Even "clean" URLs that redirect to a credential harvesting page after one hop are caught by sandbox detonation of the full redirect chain, not just the first-hop domain lookup.

Observable spear phishing indicators

These are the specific signals Phishaver surfaces in the analyst triage queue when a spear phishing attempt is flagged.

  • Sender domain registered within 30 days of email receipt
  • Sender domain edit-distance of 1–3 characters from a known-sender domain
  • Email body contains urgency phrasing combined with an action request (financial, credential, or access)
  • Reply-to address differs from From: address (reply hijacking setup)
  • Body references recipient's name, role, or known colleagues without prior email relationship from that domain
  • SPF passes but sending IP geolocates to a region inconsistent with the claimed organization's known footprint
  • URL in body resolves to a domain registered within 14 days
Threat Type

Business Email Compromise

Executive impersonation and wire-transfer fraud — the financial-loss variant of spear phishing.

 Threat Type

Attachment Malware

Spear phishing emails often carry malicious attachments as the payload delivery mechanism.

 Threat Type

URL Sandboxing

Evasive redirect chains used in targeted phishing to bypass domain reputation checks.

Stop spear phishing

See what's targeting your team right now.

Connect Phishaver to M365 or Google Workspace in under 5 minutes. No MX changes required.

Get protected Talk to our team