Introduction
Phishing has always been about deception, but in recent years, it has become far more selective and evasive. One increasingly common technique is conditional phishing, where a malicious page looks harmless unless certain conditions are met.
This tactic complicates detection, extends attacker uptime, and sharpens targeting precision. At first glance, these sites may appear blank or benign. But when accessed with a specific identifier, such as an email address in the URL, they transform into fully functional credential-harvesting pages.
Understanding how this technique works is important for everyone: from frontline security analysts investigating suspicious URLs to business leaders responsible for managing enterprise risk.
How Conditional Phishing Works
During threat monitoring, we observed phishing URLs structured as follows:
hxxps://[random-subdomain].example[.]com[.]iq/[path]/
When accessed directly, these URLs displayed a blank page. However, when the link included an identifier, such as an email appended at the end:
hxxps://[random-subdomain].example[.]com[.]iq/[path]/user@example[.]com
The site revealed a fully functional phishing page impersonating a legitimate service and ready to capture login credentials.
Conditional triggers may be based on:
- URL path or query string parameters
- Referrer from a specific email or portal
- Device type or browser user-agent
- Time-of-day checks
This ensures that only targeted intended victims see the phishing content, while automated scanners, analysts, and casual visitors see nothing suspicious.
Why Attackers Use Conditional Phishing
Conditional phishing offers attackers several advantages:
- Avoid Detection – Security scanners and email gateways that analyze only the base URL often miss hidden content.
- Prolong Uptime – Hosting providers or abuse teams perceive harmless content and delay takedowns.
- Target Precision – Including emails or tokens enables selective personalization, tracking, and higher success rates.
- Delay Analysis – Without the correct trigger, researchers encounter a blank page, complicating investigations.
Conditional Phishing Kits in the Wild
Modern phishing kits are sophisticated, often including conditional delivery by design. Examples include:
- 16Shop – Delivers tailored phishing content with email suffix or token requirements, supporting IP and browser-based filtering.
- Caffeine Phishing-as-a-Service – Offers tokenized URLs, campaign tracking, and anti-crawler mechanisms.
- AiTM Frameworks (Evilginx2, Modlishka, Muraena) – Advanced tools that combine session hijacking with conditional triggers to capture credentials and MFA tokens.
These kits make conditional phishing accessible even to low-skilled operators, increasing the scale of attacks.
Beyond Phishing: Other Conditional Attack Scenarios
Conditional delivery is also applied in other contexts:
- Geo-Targeting – Malicious payloads appear only in certain regions.
- Device-Specific Content – Pages render only on mobile devices or specific browsers.
- Time-Based Delivery – Pages activate only during business hours in the victim’s timezone.
- Tokenized / One-Time Links – Links only function with unique IDs or embedded emails.
- User Interaction Triggers – Event-based; cContent loads only after scrolling, clicking, or typing.
- Referrer Filtering – Page activates only if accessed via the phishing email.
- Targeted Domain Checks – Phishing page triggers only for employees of a specific company or sector.
- Cloud/SaaS Phishing – Conditional pages targeting Google, Office 365, or other SaaS logins.
- MFA Capture via AiTM – Only delivers fake MFA prompts to valid sessions, bypassing traditional login protections.
- Supply Chain Targeting – Triggers only if the email domain matches a supplier or partner.
These methods ensure maximum stealth and success while minimizing exposure.
Real-World Examples
- A recent campaign targeted financial employees in the Middle East, appending employee emails to URLs to bypass email security filters.
- SaaS admin accounts were targeted using AiTM kits, capturing session cookies and MFA tokens without alerting users.
- Time-based campaigns were observed where phishing pages only rendered during regional business hours, evading global monitoring teams.
Business Impact
Conditional phishing and related tactics pose serious risks to organizations:
- Missed Detections – Security tools may report clean results, creating a false sense of safety.
- Extended Attack Window – Delayed takedowns allow campaigns to compromise more accounts.
- Higher Success Rates – Personalized targeting increases the likelihood of credential theft.
- Incident Response Gaps – Analysts struggle to reproduce phishing pages, delaying containment.
- Financial and Reputational Losses – Fraud, wire transfers, or SaaS compromise can directly hit revenue and trust.
- Regulatory Exposure – Breaches can trigger penalties under GDPR, SOX, HIPAA, and other compliance frameworks.
In short, these attacks impact risk, trust, and the bottom line.
Defensive Measures
Organizations can respond with a mix of technology, process, and awareness:
- Deep URL Inspection – Analyze full paths, parameters, and dynamic behaviors.
- Dynamic / Behavioral Sandboxing – Simulate real users, browsers, and devices to trigger hidden content.
- Threat Hunting for Patterns – Monitor for suspicious subdomains, fast-flux networks, and recently issued certificates.
- Awareness Training – Teach employees that personalized links are not a guarantee of legitimacy.
- Automated Threat Intelligence – Use AI/ML to detect patterns in URL behavior and parameters.
Collaboration & Intelligence Sharing – Share insights via ISACs, CERTs, or industry groups to accelerate detection.
Final Thoughts
Conditional phishing represents a quiet but potent evolution in attack strategy. It hides malicious intent until the moment of engagement, targeting only the right users and bypassing most traditional defenses.
For defenders, there are multiple challenges: continuously evolving detection techniques to uncover hidden threats, and ensuring that organizational decision-makers are fully informed; so these “invisible” risks are addressed proactively, minimizing operational, financial, and reputational impact.
