• Wie Cloaking Phishing-Angriffe tarnt

How cloaking disguises phishing attacks

Author: Stefan FeistTechnical WriterConnect on LinkedIn

Traditional email security solutions check URLs when a message is received. If the linked page appears normal, the email is allowed to reach the inbox. But what if security systems see something different than the users who later click on the link? Cloaking techniques make this possible—and thus call into question a fundamental principle of URL filtering.

23.01.2026|zuletzt aktualisiert:26.01.2026

The two faces of a website

Cloaking refers to a technique whereby a web server delivers different content depending on the visitor. In the context of phishing, this means that security scanners see a harmless page, while real users encounter a deceptively genuine login screen, for example.

The server decides which version to deliver based on various characteristics of the incoming request. These include the IP address, the geographical location, the so-called user agent (an identifier that identifies the browser used), the referrer (the visitor’s source page), and the time and frequency of access.

The result: automated checks classify the URL as harmless, while the phishing remains undetected.

How does cloaking work?

A cloaking system works like a filter in front of the actual phishing site. For each incoming request, the server runs a check logic that uses various characteristics to decide which version of the page to deliver.

First, the system analyzes the visitor’s IP address. If it belongs to a known security provider, a cloud data center, or a hosting provider, the request is most likely coming from an automated scanner.

At the same time, the user agent is evaluated—that is, the identifier with which the requesting browser identifies itself. If it reports itself as a known security crawler, a manual or automated analysis is likely.

Another test criterion is the referrer. This indicates which page the visitor is coming from. Cloaking systems check whether the request was actually made via the link in the phishing email. If the referrer is missing or refers to a search engine, it is probably not a real victim.

Some systems also work with time windows and only activate the phishing page hours after the email has been sent – when the initial security check has long been completed.

If the system recognizes a potential scanner based on these criteria, it delivers a diversion page: an error message, a blank page, or even legitimate-looking content. The real victim, on the other hand, sees the phishing page.

    Cloaking and email: Combined attack techniques

    Attackers often combine cloaking with other concealment methods to make detection even more difficult.

    Instead of linking directly to the phishing site, the path often leads through several redirects – often via trusted platforms such as Google or Microsoft.

    Another technique is known as quishing: Here, the malicious link is embedded in the email as a QR code rather than text. Many URL scanners only analyze text content and completely overlook embedded codes.

    HTML smuggling goes one step further, where the phishing page is not linked at all, but is delivered as encrypted or fragmented code in the HTML attachment of the email. The page is only assembled in the recipient’s browser – it remains invisible for server-side analysis.

    Time-delayed activation is particularly effective: the URL first leads to a harmless page, and only after the security check has been completed is the actual phishing page activated. This technique exploits the fact that many systems only check URLs once when the email is received.

    Example of a Cloaking Attack

    In our example, cloaking is used to redirect users to a mobile device. From a corporate security perspective, the user is then outside the protected and monitored area of the company—possibly on a private device that is not connected to the corporate network but directly to the internet via the provider. In this case, it is not possible to log accesses or prevent connections to known malicious sites. Everything that takes place after this “media disruption” is then neither traceable nor reproducible for the internal IT department.

    Beispiel: Cloaking Lieferung terminieren

    Screenshot of a phishing website from early December 2025 that uses cloaking. Only with the correct user agent will you be redirected to the phishing website.

    Current detection of the domain: VirusTotal

    The machine learning models in 32Guards have successfully recognized this website based on its very specific transmission pattern. Even though the 32Guards crawler infrastructure did not detect the forwarding here, various detection mechanisms in 32Guards ensure that detection can take place.

    Why traditional defense mechanisms reach their limits

    Most email security solutions check incoming URLs against block lists; the linked pages are analyzed automatically. Cloaking undermines both approaches:

      • Phishing URL not yet on block lists

        Block lists only record a phishing URL after it has been identified as malicious. However, as long as cloaking is working, the page remains inconspicuous and therefore does not appear on the list.

      • Cloaking systems see harmless page

        Automated analyses fail because they are recognizable as scanners from the perspective of the cloaking system. They only see the harmless version of the page and approve the URL.

      The fundamental problem: security solutions cannot determine with certainty what a real user would see if they themselves are identifiable as a verification system.

        NoSpamProxy and 32Guards protect against cloaking

        Cloaking attacks repeatedly show that individual protective measures are not enough. Effective protection requires a combination of various technical measures. NoSpamProxy and the metadata-based 32Guards offer several technologies that effectively protect you against cloaking.

        • Time-of-Click Protection with URL Safeguard

          URL Safeguard ensures that emails are not only checked when they arrive, but also when a user actually clicks them. This makes time-based cloaking considerably more difficult.

        • Recognizing patterns and waves with 32Guards

          32Guards recognizes the patterns behind cloaking attacks and, over time and as the number of 32Guards users grows, can respond to them ever more quickly and precisely. Another special feature is that the crawler infrastructure used simulates a normal user agent. This makes 32Guards much less likely to be detected as a security product.

        • Email authentication with NoSpamProxy

          Automated sender reputation checks, i.e., SPF, DKIM, DMARC, DANE, and ARC, do not prevent cloaking itself, but they do make it more difficult to spoof the sender domain. If a phishing email cannot pretend to come from a trusted source, the likelihood of the entire attack succeeding decreases because the email will be blocked.

        Not yet using NoSpamProxy?

        With NoSpamProxy Protection, you can reliably protect your company from dangerous phishing emails and benefit from many other security features. Request your free trial now!

        Get your free NoSpamProxy trial now!
        When the service provider deletes the SPF record: Why DNS alerts are essent...Gelöschter SPF-Eintrag: Warum DNS-Alarmierung unverzichtbar ist 800x800NIS2 Network and Information Systems Directive PreviewNIS2 – What the directive means for you (Update 2026)