PhishLumos: Exposing Phishing Campaigns that Evade Detection by Hiding Content

Phishing attacks have evolved beyond simple deceptive links, employing cloaking techniques that serve benign pages to automated scanners while delivering malicious payloads to real users. This arms race has eroded the effectiveness of traditional content‑based URL filters, prompting researchers to look deeper into the network fabric that ties malicious domains together. Infrastructure‑centric analysis leverages shared IPs, DNS records, and SSL certificates, offering a more resilient signal that is harder for attackers to mask without sacrificing operational efficiency.

PhishLumos operationalizes this concept by constructing a graph of interconnected URLs based on their underlying assets. The system ingests passive DNS data, certificate transparency logs, and historical web‑scan records, then employs specialized large‑language‑model agents to profile the campaign and automatically generate detection rules. In a real‑world evaluation of 103 campaigns encompassing over 6,000 URLs, PhishLumos delivered 100% median coverage and flagged threats an average of eight days before human analysts confirmed them, all while maintaining a negligible 0.1% false‑positive rate. These metrics demonstrate that infrastructure‑level insights can dramatically shorten detection lead times and improve confidence in automated alerts.

For security operations, PhishLumos represents a complementary layer rather than a replacement for existing tools. Its campaign‑wide artifacts streamline hunting, blocklist creation, and takedown requests, aligning with how threat intelligence is consumed in practice. However, the approach depends on the richness of external data sources and struggles when adversaries adopt throwaway infrastructure, underscoring the continued relevance of traditional scanners and analyst expertise. As phishing tactics keep adapting, blending content‑based detection with infrastructure graphing will likely become a best‑practice for organizations seeking robust, early‑stage protection.