Phishing attacks are evolving from generic, mass-mailed campaigns into intelligent, adaptive threats. New research from anti-phishing vendor Cofense reveals that threat actors are now using real-time device fingerprinting to deliver customized payloads. Upon a victim clicking a malicious link, the attack infrastructure analyzes the browser's user-agent string to determine the operating system and device type. This allows the attacker to serve the most effective malware for that specific environment—for example, a Windows user might receive an .exe file, while a macOS user gets a .dmg. This dynamic adaptation significantly increases the success rate of phishing campaigns and demonstrates a clear shift towards more targeted and efficient attack methods.
The era of one-size-fits-all phishing is fading. Modern campaigns, as detailed by Cofense, employ a multi-stage, adaptive approach:
user-agent string. This small piece of data reveals a wealth of information: operating system (Windows, macOS, Android, iOS), browser type and version, language, and more..exe), script (.bat, .ps1), or archive (.zip, .iso)..dmg) or an application bundle.This process ensures that the victim always receives a payload that can run on their system, maximizing the chance of infection.
The core technique is the use of the user-agent string for device fingerprinting, which falls under T1592 - Gather Victim Host Information. This is not a new technique, but its application in mainstream phishing for dynamic payload delivery is a significant evolution. The backend logic on the attacker's server is the 'brain' of the operation, acting as a traffic director for malware.
This is often combined with other sophisticated tactics:
The attack moves beyond simple credential theft and becomes a versatile malware delivery platform, capable of dropping infostealers, remote access trojans (RATs), or ransomware.
The shift to adaptive phishing has several key impacts:
No specific IOCs were provided in the source articles.
Security teams may want to hunt for the following patterns to detect related activity:
.exe, .dmg)..dmg mounting and running a script) regardless of the initial file type, a form of Dynamic Analysis (D3-DA)..exe, .ps1, .js, .iso) from the web for most users. Create exceptions for specific roles that require this functionality.New article provides explicit sources, details T1592.002, and emphasizes phishing-resistant MFA as a key mitigation for adaptive phishing.
Ongoing user training is crucial to help employees recognize and report sophisticated phishing lures.
Use advanced web filtering and URL analysis to inspect links at time-of-click and block malicious redirects.
Mapped D3FEND Techniques:
Browser isolation technologies can execute the malicious content in a sandbox, preventing the payload from reaching the endpoint.
Mapped D3FEND Techniques:
Cofense publishes research on adaptive phishing campaigns.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.