The Real Deal: How Cybercriminals Exploit Legitimate Domains

When it comes to secure email gateways (SEGs), the narrative is quite simple. For years, organizations have relied on SEGs as the foundation of their email security.

However, as Microsoft has rapidly advanced its native security capabilities, there is now significant overlap in detection and functionality. As a result, it is in cybercriminals’ best interest to bypass the signature and reputation-based detection technology that both rely on.

Over time, attackers have utilized and tested varying tactics to ensure deliverability with one inevitable result: phishing emails are more advanced and sophisticated than ever.

Our latest Phishing Threat Trend Report confirms that phishing attacks are not only increasing—up 17.3% from September 15, 2024, to February 14, 2025 versus the previous six months—but more are also evading detection. In 2024, the Threat Labs team observed a 47.3% rise in attacks successfully bypassing Microsoft and SEGs.

But how are cybercriminals achieving this? In this blog, we will explore one of the many tactics cybercriminals use to bypass detection: the exploitation of legitimate domains.

Using Microsoft to Send Phishing Attacks 

In 2025, our Threat Labs team identified the top five legitimate platforms used for phishing attacks: DocuSign, PayPal, Microsoft, Google Drive, and Salesforce, with a 67.4% increase in the use of third-party platforms for phishing. Similar to sending an email from a compromised account, legitimate platforms serve as a fantastic vehicle to lower recipient suspicion and bypass reputation-based detection in SEGs. 

Reputation-based detection relies on factors like domain age, authentication checks (SPF, DKIM, DMARC), and previous interactions. Since Microsoft and DocuSign domains are typically allowlisted and have valid authentication, emails sent from these platforms are seen as legitimate by most SEGs. Additionally, the users’ familiarity of these domains increases the chances of successful attacks, as people are more likely to trust and engage with emails from these well-known platforms.

In fact, the Threat Labs team have analyzed two examples of campaigns that have successfully bypassed Microsoft and SEGs by using third-party platforms: 

1. From January 1st to March 7th 2025, there was a 36.5% increase in the use of popular accounting software QuickBooks to send phishing emails. Cybercriminals create free accounts, which are provisioned with email-sending privileges. From there, they simply create their attacks within the platform and hit ‘send’. 
2. Of particular concern is an example where an attacker has hijacked a legitimate Microsoft invoice, combining social engineering techniques and mail-flow rules to avoid breaking authentication checks. 

Obfuscating the Payload with Legitimate Domains

From September 15, 2024, to February 14, 2025, versus the previous six months there was a  22.7% increase in the use of technical measures to obfuscate attacks and payloads.

One key obfuscation technique involves hijacking a legitimate hyperlink, where attackers host a malicious payload on a trusted site or use a legitimate link to disguise the final destination.

In 2025, our Threat Labs Team identified the top domains used to smuggle malicious payload include: 

• google.com 
• sharepoint.com
• dropbox.com
• youtube.com
• docusign.com 
• tiktok.com 
• kahoot.com 

Notably, Google Slide links saw a 201.5% increase, and Kahoot links rose by 154.5% between September 15, 2024, and February 15, 2025, compared to the previous six months.

This technique is particularly good at bypassing signature-based detection because this form of detection relies on identifying “known bad” indicators, such as previously flagged domains, payloads, and hyperlinks. Since legitimate domains are trusted and not present in blocklists, cybercriminals can use them to disguise malicious payloads, making it difficult for SEGs to identify them as threats.

How Should Organizations Respond? 

If traditional technology is struggling to identify attacks sent from legitimate domains, imagine how challenging it is for employees to spot them. 

As our research shows, phishing attacks sent from trusted platforms like Microsoft, DocuSign, and Google are increasingly difficult to detect, posing a serious challenge for organizations. Cybercriminals are capitalizing on the trust associated with these domains to bypass signature-based and reputation-based detection, making it more likely that malicious emails will slip through the cracks.

It has never been more crucial for organizations to assess which phishing emails are bypassing their existing defenses and integrate an advanced anti-phishing product into their tech stack to protect their people, customers, and data.Stop Advanced Phishing Attacks with KnowBe4 Defend

KnowBe4 Defend takes a new approach to email security by addressing the gaps in M365 and Secure Email Gateways (SEGs). Defend helps you respond to threats quicker, dynamically improve security and stop advanced phishing threats. It reduces admin overhead, enhances detection and engages users to build a stronger security culture.

With KnowBe4 Defend you can:

• Reduce risk of data breaches by detecting threats missed by M365 and SEGs
• Free up admin resources by automating email security tasks
• Educate users with color-coded banners to turn risks into teachable moments
• Continuously assess and dynamically adapt security detection reducing admin overhead
• Leverage live threat intelligence to automate training and simulations

Request ahttps://info.knowbe4.com/one-on-one-demo-partners?partnerid=001a000001lWEoJAAW Demo!

PS: Don’t like to click on redirected buttons? Cut and paste this link in your browser: https://info.knowbe4.com/one-on-one-demo-partners?partnerid=001a000001lWEoJAAW