Why Your SOC Is Still Losing to Basic Phishing in 2025

TLDR: Despite massive investments in email security gateways and automated detection, phishing remains the primary entry point for high-impact breaches. This analysis of recent SOC operations reveals that attackers are successfully bypassing traditional filters by using low-effort, high-volume social engineering that exploits human psychology rather than technical vulnerabilities. Pentesters and researchers should focus on testing the efficacy of internal communication channels and the speed of incident response rather than just perimeter defenses.

Phishing is not a solved problem. If you spend your days hunting for complex zero-days or chaining together intricate exploit primitives, it is easy to dismiss phishing as a legacy threat that modern security stacks have neutralized. That assumption is a mistake. The reality inside a 24/7 Security Operations Center is that phishing remains the most reliable, cost-effective, and dangerous vector for initial access. Attackers are not reinventing the wheel because they do not need to. They are simply refining the social engineering components that bypass the automated filters we rely on to keep our inboxes clean.

The Mechanics of Modern Credential Harvesting

The most effective phishing campaigns today do not rely on sophisticated malware payloads or complex browser exploits. They rely on context. Attackers are increasingly using Adversary-in-the-Middle (AiTM) techniques to intercept live sessions, effectively rendering standard multi-factor authentication (MFA) useless. By proxying the authentication flow, the attacker captures the session token, allowing them to bypass the need for a password or a second-factor prompt entirely.

During recent engagements, we have seen a shift toward "whaling" attacks that target senior executives with highly specific, context-aware lures. These are not generic "your account is locked" emails. They are tailored messages that mimic internal HR processes, such as updated benefits packages or internal policy changes. When an executive clicks a link in one of these emails, they are directed to a proxy site that looks identical to the legitimate Microsoft 365 login page. Because the site is a real-time proxy, the user completes their MFA challenge, and the attacker captures the session cookie.

For a pentester, the takeaway is clear: stop testing the perimeter and start testing the human-process interface. If you are running a red team engagement, your goal should be to identify the internal communication channels that are most trusted by employees. Can you spoof an internal HR email? Can you use a Microsoft 365 tenant that looks like a partner organization? The goal is to move beyond the technical bypass and into the realm of social engineering where the security controls are weakest.

Why Automated Detection Fails

Security tools like Zscaler and Mimecast are excellent at catching known malicious domains and file signatures. However, they struggle with the "first-seen" problem. An attacker can register a domain, host a landing page, and execute a campaign before the threat intelligence feeds have even categorized the domain as malicious.

We frequently see phishing links that redirect through legitimate services like Google Docs or other trusted SaaS platforms. Because the initial URL is a legitimate, high-reputation domain, the email security gateway lets it through. By the time the SOC receives an alert, the attacker has already harvested the credentials and moved laterally.

To validate these threats, you need a robust stack of investigation tools. I rely on VirusTotal for initial file and URL reputation, but it is rarely enough on its own. For a more granular look, URLScan is essential because it provides a screenshot of the landing page, which is often the only way to confirm if a site is actively harvesting credentials. If you are tracking indicators of compromise (IOCs) across a campaign, Drakon.ai is a powerful resource that aggregates data from multiple sources, including SpamHaus and LevelBlue Labs, to give you a clearer picture of the infrastructure being used.

The Role of Internal Response

The most critical failure point is not the initial click, but the lack of internal reporting and response. In one recent incident, a single employee received a phishing email, did not interact with it, but forwarded it to four other colleagues. One of those colleagues clicked the link and entered their credentials. The security tool blocked the link for the subsequent users, but the damage was already done.

This highlights the need for a culture where employees feel comfortable reporting suspicious emails rather than just deleting or forwarding them. From a defensive perspective, the most effective control is not a better filter, but a faster response. If your SOC can identify a compromised account within minutes of the initial login, you can force a credential reset and revoke all active sessions before the attacker can establish persistence.

What to Do Next

If you are a researcher or a pentester, your focus should be on the gaps between the tools. How long does it take for your client’s SOC to identify a credential theft attempt? How do they handle session revocation? These are the questions that matter in 2025. Stop assuming that your client’s email security gateway is doing the heavy lifting. Start testing the assumption that their employees are the last line of defense, and then prove that the last line is usually the first to break.

The next time you are on an engagement, don't just look for the technical bypass. Look for the process failure. Look for the email that looks "just right" and see how long it takes for someone to report it. That is where the real work is.