Measuring Modern Phishing Tactics: A Quantitative Study of Body Obfuscation Prevalence, Co-occurrence, and Filter Impact

TL;DR

This study quantitatively analyzes the prevalence, co-occurrence, and impact of body obfuscation techniques in phishing emails, revealing strategic layering and their effects on spam filter scores to inform better detection methods.

Contribution

It provides the first comprehensive quantitative analysis of body obfuscation techniques, their combinations, and their influence on spam filter scores in phishing emails.

Findings

Text in Image is most prevalent at 47%.

Base64 Encoding and Text in Image significantly evade filters.

Invalid HTML correlates with higher spam scores.

Abstract

Phishing attacks frequently use email body obfuscation to bypass detection filters, but quantitative insights into how techniques are combined and their impact on filter scores remain limited. This paper addresses this gap by empirically investigating the prevalence, co-occurrence patterns, and spam score associations of body obfuscation techniques. Analysing 386 verified phishing emails, we quantified ten techniques, identified significant pairwise co-occurrences revealing strategic layering like the presence of text in images with multipart abuse, and assessed associations with antispam scores using multilinear regression. Text in Image (47.0%), Base64 Encoding (31.2%), and Invalid HTML (28.8%) were highly prevalent. Regression (R${}^2$=0.486, p<0.001) linked Base64 Encoding and Text in Image with significant antispam evasion (p<0.05) in this configuration, suggesting potential bypass capabilities, while Invalid HTML correlated with higher scores. These findings establish a quantitative baseline for complex evasion strategies, underscoring the need for multi-modal defences against combined obfuscation tactics.