Inbox Intelligence: Five Email Threats Bypassing Company Email Security
← Research Hub

Inbox Intelligence: Five Email Threats Bypassing Company Email Security

Discover the five email threats defining 2026 and learn how a multi-signal detection model stops what authentication alone cannot.
27%
Phishing detections pass SPF, DKIM, and DMARC authentication
80%
Phishing detections that carry no malicious attachment
2.8B
Combined weekly downloads of the 20 npm packages compromised in a single supply chain campaign

Why this matters

Email remains the most reliable way into an organization. Despite decades of investment in authentication, gateways, sandboxes, and user training, attackers still reach their targets through the inbox. What has changed by 2026 is the scale and the sophistication. Phishing now operates as an industry, MFA can be bypassed at scale, and AI tooling has lowered the cost of a convincing attack while raising the ceiling on how convincing it can be. The attacks no longer break security controls — they pass through them.

Every attack in this report exploits the trust that email security places in a correctly authenticated message. The assumption that an authenticated email is a safe email no longer holds. Defenders need signals from outside the mailbox, starting in the underground markets where credentials are traded before they are ever used.
Anton Shumakov
Anton Shumakov
Machine Learning Engineer, Group-IB

What’s inside

Adversary-in-the-Middle phishing kitsAdversary-in-the-Middle phishing kits

How reverse-proxy kits like Tycoon 2FA, Evilginx, EvilProxy, and Sneaky 2FA capture the session cookie after the victim completes MFA, making authentication irrelevant.

Callback scamsCallback scams

How telephone-oriented attacks deliver no link, no attachment, and no executable, using a single phone number to move the victim onto a personal device beyond enterprise control.

Software supply chain phishingSoftware supply chain phishing

How the npmjs.help campaign passed SPF, DKIM, and DMARC from an attacker-owned domain and pushed a cryptocurrency clipper into 20 npm packages with 2.8 billion combined weekly downloads.

Adaptive phishing kitsAdaptive phishing kits

How LogoKit assembles a credential-capture page in the victim's browser at click time, defeating URL scanning at delivery, shown through a sustained DocuSign impersonation wave.

Infostealer email campaignsInfostealer email campaigns

How the Phantom Stealer five-wave campaign used mundane procurement lures to deliver credential theft that fuels the ransomware and business email compromise economy.