TL;DR: Malicious emails now use URLs four times more often than attachments, while attackers increasingly hide payloads behind authentication pages, scanner-detection logic, and trusted collaboration workflows, according to Proofpoint’s Human Factor Report Vol. 2. The control gap is no longer message filtering alone, but continuous inspection across the full user journey.
At a glance
What this is: This analysis shows how attackers are bypassing email security by hiding malicious URLs behind authentication barriers, detecting sandboxes, and abusing trusted collaboration tools like calendars.
Why it matters: It matters because IAM, PAM, and identity verification teams need to understand how trust decisions, user authentication prompts, and delegated application workflows can be turned into delivery paths for phishing and credential theft.
👉 Read Proofpoint's analysis of phishing URL evasion and collaboration abuse
Context
Email security controls are strongest when malicious content is visible before delivery, but that assumption breaks when attackers place the real payload behind a login screen, a CAPTCHA, or a benign first hop. The result is a governance gap across the full message-to-click path, where the system approves what it can see and misses what appears only after a human authenticates.
The identity angle is direct. Authentication pages, shared documents, and calendar invitations all rely on trust in user identity and in the workflow that carries the content. When those trust signals are manipulated, the problem is no longer just phishing hygiene but control alignment across identity verification, collaboration platforms, and post-delivery inspection.
Key questions
Q: What breaks when authentication is not phishing-resistant?
A: The trust boundary between the user and the system becomes easy to impersonate. Attackers can collect credentials through fake login pages or reuse stolen passwords to enter accounts, which then undermines downstream controls such as access reviews, monitoring, and conditional access.
Q: Why do trusted collaboration channels increase phishing risk?
A: Trusted collaboration channels increase risk because users apply relationship context before they apply security skepticism. When a familiar sender posts in an active channel, the message inherits credibility and can bypass the hesitation that usually protects against obvious phishing. That trust gap turns the collaboration layer into an attack surface.
Q: How do security teams know if sandbox-based URL analysis is failing?
A: Look for URLs that appear clean in detonation but behave differently for real users, especially when the site serves benign content to automated scanners and malicious content after redirect or script execution. Differences in user-agent handling, IP reputation, JavaScript execution, and navigation path are strong signals that the attacker is detecting the detector.
Q: Who is accountable when phishing bypasses email security through a trusted app?
A: Accountability usually spans email security, collaboration platform owners, and identity governance teams because the failure is a trust-boundary issue, not a single-product miss. If the application can synchronise risky content without parallel inspection, the organisation owns the gap. That makes governance, monitoring, and user reporting responsibilities shared across the platform stack.
Technical breakdown
Authentication barriers as phishing cover
Attackers increasingly place a harmless first-stage page in front of the malicious destination. A sandbox sees a standard file-sharing login, email verification page, or CAPTCHA and concludes the URL is safe because the harmful content is not yet reachable. The actual phishing form, malware download, or credential harvest appears only after the target provides identity data or passes the gate. This works because many secure email workflows make a verdict before user context exists, so the inspection window ends too early.
Practical implication: move from single-pass URL checks to time-of-click inspection and post-delivery re-evaluation.
Sandbox detection and scanner evasion
More advanced campaigns do not just hide content, they detect the inspection environment. Servers compare user-agent strings, IP ranges, header patterns, JavaScript execution, and navigation behaviour to determine whether the visitor is a sandbox or a real user. If the request looks automated, the site serves benign content; if it looks human, it serves the payload. That makes static detonation less reliable because the analysis itself becomes part of the signal the attacker is filtering on.
Practical implication: pair URL analysis with browser-native behavioural controls that can observe the page after redirection and script execution.
Trusted collaboration channels as delivery infrastructure
The calendar abuse example shows that threats can bypass email entirely by operating inside a trusted application ecosystem. A drafted calendar event can synchronise to targets without traversing email delivery, which means the gateway never gets a chance to inspect the URL or attachment. This is a governance problem across application trust boundaries, not just transport controls. Once collaboration tools become trusted delivery paths, the security model has to inspect what the platform itself propagates, not only what email carries.
Practical implication: extend inspection and anomaly detection into collaboration suites, especially where invitations, shared docs, and external links are synchronised automatically.
Threat narrative
Attacker objective: The attacker aims to steal credentials or deliver malicious content while bypassing email gateway and sandbox-based inspection.
- Entry begins with a malicious URL embedded in email or a trusted collaboration object, but the first visible page is benign and designed to survive gateway inspection.
- Credential access or payload delivery happens only after the user authenticates or reaches the hidden destination, allowing phishing forms, malware, or account theft to proceed outside the sandbox verdict.
- Impact follows when the attacker captures credentials or lands malicious content through a trusted workflow that security controls treated as safe.
NHI Mgmt Group analysis
Authentication gating has become a phishing concealment layer, not just a user check. The article shows that a page can look clean to inspection systems until the human enters credentials or clears the verification step. That changes the governance question from whether a URL is malicious to whether the control can still see the malicious state after identity proof. Practitioners should treat authentication barriers as part of the attack surface, not as a neutral access control.
Trusted collaboration workflows now create an identity and delivery blind spot. The calendar example is not an email problem alone, because the threat moves through application trust relationships that sit outside traditional gateway logic. That means identity governance has to extend to how applications synchronise content, not just how users sign in. The relevant control gap is delegated trust without parallel inspection, and that gap is what makes collaboration abuse so effective.
Continuous analysis is the new baseline for URL risk, because point-in-time verdicts are easy to outrun. Static detonation assumes the malicious state is present during inspection, but the article shows attackers can delay, gate, or selectively serve content until after the verdict. That is a detection-response latency problem, not a signature problem. Security teams should align controls to the full click path, because the dangerous content often appears after the initial policy decision.
Identity verification workflows are being reused as delivery mechanisms, which creates a verification trust gap. When phishing content hides behind prompts that look like normal login or proof-of-human steps, users and machines are both encouraged to trust the first page. This erodes the boundary between legitimate authentication and malicious friction. Practitioners should assume that any externally delivered verification step may be the attack, not the protection.
Browser-level inspection is becoming essential where the platform itself is the transport. The article’s core lesson is that threats increasingly arrive inside trusted ecosystems where email controls never see the traffic. That broadens the governance challenge across IAM, collaboration security, and endpoint/browser controls. Teams should manage trust at the point of interaction, because the delivery path is now distributed across applications.
What this signals
Verification trust gaps will keep widening as attackers move from visible payloads to gated payloads. Security programmes should expect more abuse of login walls, CAPTCHA steps, and other seemingly legitimate verification layers because those pages are hard for static scanners to evaluate. The operational answer is continuous inspection across the full interaction path, plus user-facing controls that treat externally delivered authentication prompts as suspicious by default.
Collaboration platforms are now part of the threat delivery stack, so email-centric controls will miss an increasing share of attacks unless they are paired with browser, application, and identity telemetry. The practical shift is to build policy around where content is rendered and synchronised, not only where it is transported.
The broader programme implication is that trust boundaries are moving from the inbox to the workspace. That means detection, identity, and user-awareness controls need to be coordinated so a benign first page or trusted app does not automatically become a clean bill of health.
For practitioners
- Expand inspection beyond initial delivery Add time-of-click analysis and post-delivery URL re-evaluation so a safe first page does not automatically clear a later malicious destination.
- Instrument collaboration platforms for hidden delivery paths Review Google Workspace, file-sharing, and messaging workflows for links or attachments that synchronise without traversing email gateways, and monitor for external invitations or drafts that propagate content unexpectedly.
- Harden authentication prompts in externally delivered links Treat CAPTCHA, login, and identity-verification pages embedded in inbound messages as risk signals and route them for higher scrutiny before users submit credentials.
- Correlate browser behaviour with gateway verdicts Look for differences between sandbox activity and real-user sessions, including redirects, JavaScript execution, and navigation patterns that only appear after click-through.
Key takeaways
- Attackers are using authentication barriers, sandbox detection, and trusted collaboration workflows to make malicious URLs look safe long enough to bypass inspection.
- The article’s evidence points to a control gap in point-in-time email scanning, where the malicious state appears only after the security verdict has already been issued.
- Practitioners need continuous analysis across the full click path and into collaboration tools, or trusted workflows will keep functioning as delivery infrastructure for phishing.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| MITRE ATT&CK | TA0001 , Initial Access; TA0006 , Credential Access | The article maps to phishing-led initial access and credential capture through gated URLs. |
| NIST CSF 2.0 | PR.AA-01 | Identity assertion and access workflows are abused through verification pages and collaboration trust. |
| NIST SP 800-53 Rev 5 | SI-4 | Continuous monitoring is needed because threats reveal themselves after initial verdicts. |
| NIST AI RMF | MANAGE | The article’s lesson is about managing operational risk across human and automated trust decisions. |
Track URL-evasion campaigns against Initial Access and Credential Access techniques, then test controls at click time.
Key terms
- Time-of-click protection: Time-of-click protection reevaluates a link when the user actually opens it, rather than only when the message first arrives. It helps catch URLs that are harmless at delivery but become malicious after redirects, authentication steps, or server-side conditions reveal the payload.
- Sandbox evasion: Sandbox evasion is the practice of making malware or phishing infrastructure behave differently when inspected by automated analysis tools. Attackers may check headers, JavaScript execution, IP reputation, or browsing patterns so that the malicious content is hidden from the scanner.
- Trusted Relationship Abuse: Trusted relationship abuse occurs when an attacker uses a legitimate identity or communication path to persuade recipients or systems to accept malicious action. It is especially effective in email because the message appears to come from someone or something the recipient already trusts.
What's in the full article
Proofpoint's full analysis covers the operational detail this post intentionally leaves for the source:
- Step-by-step examples of how the link verification exploit evades sandbox checks in real email workflows
- The browser and header signals attackers use to distinguish sandboxes from real users
- The Google Workspace calendar abuse pattern that bypasses email controls altogether
- Operational recommendations for continuous analysis, browser-based protection, and user awareness
Deepen your knowledge
NHI Mgmt Group covers identity security, NHI governance, and agentic AI through independent research, practitioner guides, and the NHI Foundation Level course, the industry's only accredited NHI security programme. Explore nhimg.org for resources that connect identity governance to the broader security disciplines your programme depends on.
Published by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org