Source: Own Illustration
RWTH has a robust email security infrastructure: efficient spam filters and reliable protection mechanisms ensure that large volumes of unwanted messages never even reach our inboxes. Nevertheless, spam and phishing emails have increasingly been finding their way into personal and work RWTH inboxes as “undetected” messages. So, what mechanisms cause even the most reliable spam filters to fail to intercept every suspicious message?
When Suspicious Emails No Longer Look Suspicious
The fact that spam or phishing emails continue to land in inboxes despite modern filtering measures is primarily due to the increasingly sophisticated nature of the attacks. Modern phishing emails are now grammatically correct, mostly error-free, and closely mimic genuine work-related communication. Typical warning signs such as awkward phrasing and incorrect (technical) terminology are increasingly disappearing.
Camouflage Through Variation and Reputation
A major problem for technical filters is personalization: Many campaigns no longer consist of identical mass mailings. Subject lines, layouts, and sender names are varied slightly. What appears to humans as the same scam is often not similar enough for algorithms to immediately block it as a known pattern. Attacks via compromised, legitimate sender accounts are particularly effective. If a message originates from a server that has never previously raised any red flags, the technical warning signs are absent. As a result, the email appears credible both in terms of content and technical aspects.
The Attack Takes Place Outside the Email
Another factor that makes detection by traditional filters more difficult is the evolution of attack methods. Many attacks no longer contain malicious attachments. In the past, macros or executable files were clear indicators of danger. Today, attackers rely on seemingly harmless links, QR codes, or simple requests for feedback. Since the email itself contains no malicious code, the actual attack takes place outside the inbox—for example, on a fake login page, via a subsequent download, or through the disclosure of sensitive data. Furthermore, a link may initially lead to an innocuous page and only subsequently be redirected to a malicious website. This time lag makes it difficult to assess the threat at the moment the email is received.
Visibility as a Target
Public accessibility is of central importance, particularly in the academic context. Work email addresses are therefore often intentionally made visible—for example, on department websites, in publications, or in project contexts. While this visibility is essential for academic exchange and collaboration, it also makes these addresses attractive targets for spam and phishing campaigns. The higher the number of incoming attack attempts, the greater the likelihood that individual messages will reach the inbox despite technical protective measures.
Why Reporting Remains Important
Since spam campaigns adapt very quickly, detection systems cannot always immediately and completely capture new variants. They must first reliably identify recurring patterns, technical characteristics, and conspicuous structures. That is why reporting suspicious emails is essential: it supports the analysis of new tactics and helps further improve protective measures for all users. Even if the effect isn’t always immediately visible in your own inbox, reports help to continuously refine the detection of current spam and phishing campaigns.
The fact that individual messages end up in the inbox as “undetected” does not automatically mean that the protective mechanisms are failing. Rather, it shows just how much phishing has evolved—and why technical filters and careful handling of emails must continue to go hand in hand.
In conclusion, it remains clear that the continuous improvement of our protection mechanisms will remain a priority in the future.
Responsible for the content of this article is Maike Lennartz.
Leave a Reply