Phishing Campaigns Now Adapt to Victims’ Devices, Raising the Stakes for Enterprise Security

Related

WhatsApp Phishing Attack Uses Fake Business Documents to Hack PCs

What happened An ongoing malware campaign is targeting WhatsApp users...

Amazon SES Increasingly Abused in Phishing to Evade Detection

What happened Threat actors are exploiting Amazon Simple Email Service...

Robinhood Account Creation Flaw Abused to Send Phishing Emails

What happened Threat actors exploited a flaw in Robinhood's account...

Share

What happened

Cybercriminals are evolving beyond traditional phishing campaigns by using techniques that automatically adapt attacks based on a victim’s device and operating system. New research from Cofense Intelligence shows that attackers are increasingly fingerprinting victims after they click a malicious link, allowing them to deliver customized malware and phishing pages that are more likely to succeed.

According to Max Gannon, a researcher at Cofense Intelligence, modern phishing campaigns collect information from a victim’s browser, including operating system, browser type, device details, language settings, geolocation, and screen size. This information enables attackers to determine the most effective payload for each target.

The research also found that some campaigns use Cloudflare’s user-agent detection capabilities to redirect victims before they even reach the malicious page. Depending on the detected platform, attackers can serve different malware, such as FleetDeck for macOS users or Tiflux RAT for Windows users.

In addition, attackers are increasingly using legitimate remote access tools that have been repurposed for malicious activity, making detection more difficult. Some campaigns also rely on services such as Telegram to exfiltrate stolen information. Fake download pages that imitate trusted brands including Google, Microsoft Teams, Adobe, Zoom, and DocuSign are also being customized based on the victim’s device.

Who is affected

Organizations with employees using multiple operating systems, including Windows, macOS, and mobile devices, face increased risk from these platform-aware phishing campaigns. Hybrid work environments are especially vulnerable because employees frequently access corporate resources from different devices and locations.

Industries that depend heavily on email communication, cloud collaboration platforms, and remote access tools may be particularly attractive targets. Security teams that focus primarily on blocking phishing emails may also miss malicious activity that occurs after a user clicks a link.

Why CISOs should care

These attacks demonstrate that phishing campaigns are becoming more adaptive and efficient. Instead of delivering the same payload to every victim, attackers now optimize each campaign for the specific device being used, increasing the likelihood of compromise.

Gannon advises organizations to improve visibility across Windows, macOS, and mobile devices while monitoring what happens after users click suspicious links. He also emphasizes that trained employees remain a critical defense, as repurposed remote access tools may evade traditional signature-based detection.

3 practical actions

  • Unify security monitoring across Windows, macOS, and mobile devices to identify coordinated phishing activity.
  • Expand visibility beyond email by monitoring redirect chains, browser behavior, and post-click activity.
  • Continue phishing awareness training and deploy phishing-resistant authentication methods such as FIDO2 security keys where appropriate.
1524023125746
+ posts