Cofense Research Shows Phishing Campaigns Adapting in Real-Time to Victim's OS

Phishing Gets Smarter: Attacks Now Auto-Adapt Payloads to Victim's OS and Device

HIGH
July 2, 2026
July 3, 2026
5m read
PhishingThreat IntelligenceMalware

Related Entities(initial)

Organizations

CofenseMicrosoft Adobe

Other

DocusignZoom

Full Report(when first published)

Executive Summary

Phishing attacks are evolving from generic, mass-mailed campaigns into intelligent, adaptive threats. New research from anti-phishing vendor Cofense reveals that threat actors are now using real-time device fingerprinting to deliver customized payloads. Upon a victim clicking a malicious link, the attack infrastructure analyzes the browser's user-agent string to determine the operating system and device type. This allows the attacker to serve the most effective malware for that specific environment—for example, a Windows user might receive an .exe file, while a macOS user gets a .dmg. This dynamic adaptation significantly increases the success rate of phishing campaigns and demonstrates a clear shift towards more targeted and efficient attack methods.


Threat Overview

The era of one-size-fits-all phishing is fading. Modern campaigns, as detailed by Cofense, employ a multi-stage, adaptive approach:

  1. Targeted Lure: The attack often begins with a well-crafted email using a relevant pretext, such as a fake invoice or a file-sharing notification from a trusted brand like Microsoft Teams or DocuSign.
  2. Victim Fingerprinting: When the user clicks the link, they are directed to a landing page that silently collects their browser's user-agent string. This small piece of data reveals a wealth of information: operating system (Windows, macOS, Android, iOS), browser type and version, language, and more.
  3. Dynamic Payload Delivery: The attacker's server uses this information to make an instant decision. Based on the victim's OS, it serves a tailored payload:
    • Windows User: Redirected to a page that downloads a malicious executable (.exe), script (.bat, .ps1), or archive (.zip, .iso).
    • macOS User: Served a malicious disk image (.dmg) or an application bundle.
    • Mobile User (Android/iOS): Directed to a convincing, mobile-optimized credential harvesting page designed to steal logins for corporate or personal accounts.

This process ensures that the victim always receives a payload that can run on their system, maximizing the chance of infection.

Technical Analysis

The core technique is the use of the user-agent string for device fingerprinting, which falls under T1592 - Gather Victim Host Information. This is not a new technique, but its application in mainstream phishing for dynamic payload delivery is a significant evolution. The backend logic on the attacker's server is the 'brain' of the operation, acting as a traffic director for malware.

This is often combined with other sophisticated tactics:

  • Brand Impersonation: Landing pages dynamically change their appearance to mimic trusted brands like Zoom or Adobe, making the lure more believable.
  • LLM-Generated Content: Attackers use Large Language Models (LLMs) to create grammatically perfect and contextually relevant email copy, bypassing a traditional red flag of phishing.
  • Phishing-as-a-Service (PhaaS): The proliferation of advanced phishing kits on the dark web makes these adaptive capabilities available to less-skilled actors, democratizing sophisticated attacks.

The attack moves beyond simple credential theft and becomes a versatile malware delivery platform, capable of dropping infostealers, remote access trojans (RATs), or ransomware.

Impact Assessment

The shift to adaptive phishing has several key impacts:

  • Increased Success Rate: By delivering compatible payloads, attackers overcome a major hurdle of generic campaigns where a Windows EXE sent to a Mac user would fail.
  • Harder to Detect: Security teams and automated systems that look for a single, specific payload may miss these campaigns, as the malicious content varies for each target.
  • Broader Reach: Attackers can target a diverse range of users and devices with a single campaign, knowing the appropriate payload will be delivered to each.
  • Erosion of User Trust: The use of highly convincing, branded landing pages makes it increasingly difficult for even trained users to distinguish legitimate requests from malicious ones.

IOCs — Directly from Articles

No specific IOCs were provided in the source articles.

Cyber Observables — Hunting Hints

Security teams may want to hunt for the following patterns to detect related activity:

Type
Log Source
Value
Web Proxy Logs
Description
Analyze logs for redirects where the initial URL is generic, but the subsequent URL points to an OS-specific file type (e.g., .exe, .dmg).
Type
User-Agent Pattern
Value
Suspicious or unusual User-Agent strings
Description
While attackers often use legitimate strings, sometimes malformed or rare user-agents are used in testing, which can be an indicator.
Type
Network Traffic Pattern
Value
Short-lived redirect chains
Description
Look for users being passed through a quick series of redirects before landing on a file download or a credential harvesting page.

Detection & Response

  1. URL Analysis at Time-of-Click: Use email security solutions that analyze the destination of a link not just when the email is received, but also at the time the user clicks it. This can help detect malicious redirects.
  2. Browser Isolation: Route user web browsing, especially from links in emails, through a remote browser isolation (RBI) platform. This executes the web content in a disposable container, preventing any malicious payload from reaching the user's endpoint.
  3. Analyze Web Proxy Logs: Ingest web proxy logs into a SIEM and create rules to detect users downloading executable files from untrusted or newly registered domains. This aligns with D3FEND's URL Analysis (D3-UA).
  4. Endpoint Behavioral Analysis: Since the payload is variable, detection should focus on post-execution behavior. An EDR can detect suspicious actions (e.g., a downloaded .dmg mounting and running a script) regardless of the initial file type, a form of Dynamic Analysis (D3-DA).

Mitigation

  1. User Training: Continue to train users on the dangers of clicking links in unsolicited emails. Emphasize that even official-looking brand pages can be spoofs.
  2. Web Filtering: Implement and maintain a strict web filtering policy that blocks access to uncategorized or known malicious websites.
  3. File Type Blocking: Block the download of high-risk file types (e.g., .exe, .ps1, .js, .iso) from the web for most users. Create exceptions for specific roles that require this functionality.
  4. Endpoint Hardening: Use application control or allowlisting to prevent unauthorized applications from running, which would stop any downloaded payload from executing.

Timeline of Events

1
July 1, 2026
Cofense publishes research on adaptive phishing campaigns.
2
July 2, 2026
This article was published

Article Updates

July 3, 2026

New article provides explicit sources, details T1592.002, and emphasizes phishing-resistant MFA as a key mitigation for adaptive phishing.

MITRE ATT&CK Mitigations

Ongoing user training is crucial to help employees recognize and report sophisticated phishing lures.

Use advanced web filtering and URL analysis to inspect links at time-of-click and block malicious redirects.

Mapped D3FEND Techniques:

Browser isolation technologies can execute the malicious content in a sandbox, preventing the payload from reaching the endpoint.

Mapped D3FEND Techniques:

Timeline of Events

1
July 1, 2026

Cofense publishes research on adaptive phishing campaigns.

Sources & References(when first published)

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Tags

PhishingAdaptive AttackUser-AgentCofenseSocial EngineeringMalware Delivery

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.