Glossary Hub for Cybersecurity

Yes, in many jurisdictions, address harvesting is considered illegal, especially when it involves collecting email addresses without consent. In the United States, the CAN-SPAM Act prohibits the unauthorized gathering and use of email addresses for unsolicited messages. Similarly, the EU’s GDPR and other international privacy laws classify such activity as a violation of data protection principles, particularly if the information is used for spam or phishing campaigns.

Email harvesting bots are programmed to scan websites, public forums, social media profiles, and documents like PDFs or Word files for text patterns that resemble email addresses (e.g., “user@example.com“). These bots can also automate dictionary attacks—guessing common usernames like “info,” “admin,” or “contact” at known domains to build large lists. More advanced bots bypass basic obfuscation by interpreting HTML and JavaScript content.

Once your email address is harvested, you become a target for a wide range of cyber threats including spam, phishing emails, malicious attachments, and malware-laden links. In more severe cases, harvested addresses are used for spear phishing, where attackers craft targeted messages to trick users into divulging sensitive information or initiating fraudulent actions. Your email address may also be associated with identity theft attempts or sold to third parties without your knowledge.

Yes, harvested email addresses are often compiled into massive lists and sold on underground forums, the dark web, or through unscrupulous marketing firms. These lists are used to fuel future spam campaigns, phishing schemes, or credential stuffing attacks. In many cases, a single harvested address can be sold and resold multiple times, significantly increasing the attack surface for the victim.

To protect your business from email harvesting, avoid publishing full email addresses in plain text on websites. Use obfuscation techniques (e.g., replacing “@” with ” [at] “) or JavaScript-based contact forms to make scraping more difficult. Additionally, employ bot detection tools, web application firewalls (WAFs), and rate-limiting mechanisms to identify and block automated crawlers that attempt to scrape contact information.

A BEC attack often begins when a threat actor either gains access to a legitimate business email account or spoofs the identity of a trusted sender, such as a CEO or vendor. The attacker then sends highly convincing emails—often without attachments or obvious red flags—designed to trick the recipient into initiating wire transfers, sharing sensitive data, or changing payment details.

Phishing campaigns are typically broad, automated, and impersonal—aimed at tricking as many people as possible. In contrast, BEC attacks are highly targeted and rely on deep research and social engineering to impersonate key personnel or trusted partners, making them far more convincing and dangerous.

Absolutely. SMBs are often prime targets because they may lack robust security infrastructure and formal approval processes. Attackers know that employees at smaller organizations may wear multiple hats, including handling payments, making it easier to exploit trust and urgency.

While SPF, DKIM, and DMARC are essential for defending against domain spoofing, they can’t stop attackers from using lookalike domains, display name impersonation, or sending emails from compromised accounts. BEC attacks frequently bypass these checks, so additional layers of AI-driven detection, behavior monitoring, and user training are crucial.

Watch for subtle red flags like sudden changes in payment instructions, urgent requests from executives, or vendors asking to reroute funds. Even well-written emails can be suspicious if they involve unusual timing, high-stakes financial transactions, or pressure to act quickly without standard verification.

Attackers often clone legitimate login pages down to the logo, form fields, and brand colors to create nearly identical replicas. These pages are then hosted on typo-squatted or recently registered domains that appear trustworthy at a glance—such as replacing “.com” with “.co” or using subdomains like “login.company-security.com.”

Once stolen, credentials are either used immediately by attackers to access corporate systems, email accounts, or financial platforms, or sold on dark web marketplaces. This can lead to serious consequences such as account takeover, data theft, internal reconnaissance, or unauthorized financial transactions.

Yes. Sophisticated phishing kits now include reverse proxies that relay login sessions in real time, capturing usernames, passwords, and one-time MFA codes as users enter them. This allows attackers to bypass MFA by logging in before the session expires—effectively neutralizing the protection.

Credential phishing targets individuals with access to high-value data or permissions, such as executives, IT administrators, HR personnel, and finance staff. These roles often have elevated privileges or access to sensitive systems, making them prime targets for attackers seeking to move laterally or escalate privileges.

Yes, AI-powered security tools can analyze a wide range of indicators—including suspicious link behavior, unnatural language patterns, sender reputation, and timing anomalies. Unlike traditional filters, AI can identify zero-day phishing attacks that lack known signatures or obvious malicious payloads.

The goal of a DHA is to discover valid email addresses within an organization by testing large numbers of potential addresses. Once identified, these addresses are used in follow-up campaigns like phishing, spam, or malware delivery.

Attackers send mass emails to combinations of likely usernames (e.g., j.smith@company.com) at a specific domain. By tracking which messages bounce and which are accepted, they can identify which addresses are valid.

No, DHAs can be subtle and easily missed. The emails often contain no content or appear harmless, and without monitoring SMTP logs or traffic anomalies, they may go undetected.

A DHA does not directly breach systems but enables future attacks. Once valid addresses are confirmed, attackers can launch credential phishing, impersonation, or malware campaigns targeting those users.

They can implement defenses like recipient verification at the SMTP gateway, rate limiting, and bounce suppression to prevent enumeration. In addition, anomaly detection and alerting systems can help identify and respond to suspicious spikes in invalid email traffic.

Email spoofing exploits the lack of built-in sender authentication in the Simple Mail Transfer Protocol (SMTP), which allows attackers to forge the “From” address in an email header. This makes the email appear as if it was sent from a trusted source, even though it wasn’t.

These protocols are effective at detecting and blocking spoofed messages, but only if they are properly configured and enforcement policies (like DMARC’s “reject”) are in place. However, even with these protections, spoofing can still occur from domains that aren’t protected or monitored.

No. Spoofing is a technique used to falsify an email’s sender, while phishing is a broader attack that often uses spoofing to trick recipients. Spoofing can also be used for spam, brand impersonation, or CEO fraud even without a phishing link.

It’s difficult for most users to spot spoofed emails because display names and sender addresses can look legitimate at a glance. However, users can be trained to inspect full headers, recognize inconsistencies, and use caution with unexpected messages.

Spoofing is easy to execute and doesn’t require compromising an actual account—attackers simply forge the sender address. It remains prevalent because many domains still lack SPF, DKIM, and DMARC enforcement, making them vulnerable to impersonation.

Attackers use a wide range of evasion tactics, such as replacing characters in keywords (e.g., “pa$$word” instead of “password”), embedding text in images, or sending emails from legitimate platforms like Dropbox or Google Docs to avoid scrutiny. These techniques help malicious content appear benign to traditional filtering systems.

Traditional filters often rely on static rule sets, keyword blacklists, or signature-based detection methods that attackers can easily manipulate. Without dynamic analysis or contextual understanding, these filters miss subtle or obfuscated threats crafted to evade them.

Common tactics include hiding malware in compressed files (e.g., password-protected ZIPs), embedding links inside QR codes, or sending users to clean-looking URLs that redirect to malicious sites after the click. These strategies are designed to outsmart both automated scanners and end-user defenses.

Yes—AI-generated phishing emails can mimic natural human writing, avoiding suspicious language patterns that traditional filters look for. They can also dynamically adapt to known detection methods, making them harder to classify as threats.

The most effective defenses use AI-powered email security platforms that analyze behavioral context, scan links in real time, and detect evasion techniques like redirection or unusual sender behavior. Layering these technologies with user education and anomaly detection significantly reduces the risk of successful filter bypass.

Greylisting works by temporarily rejecting an email from an unfamiliar sender with a “try again later” response. Most spam bots are not configured to retry, so their emails never make it through, effectively filtering out mass-mailed spam attempts.

Yes, legitimate emails from new or unknown senders may experience a brief delay—usually between 5 to 15 minutes—on their first attempt. However, once a sender is recognized and added to the safe list, future messages are delivered without delay.

Yes. More sophisticated spammers and AI-driven bots are now able to mimic the retry behavior of legitimate mail servers, which reduces the overall effectiveness of greylisting as a standalone solution.

`Absolutely. While its standalone use has diminished, greylisting is still widely implemented as part of a layered defense strategy, often in combination with SPF, DKIM, IP reputation filtering, and behavioral analysis tools.

Greylisting is more effective at stopping high-volume spam rather than sophisticated phishing attacks. That said, it can reduce the volume of opportunistic phishing, though targeted or AI-generated phishing campaigns are more likely to bypass it.

An email header is a block of metadata that travels with every email and contains key information about the message’s origin, routing, delivery path, and security authentication results. It is distinct from the email body and includes fields like sender IP, subject, timestamps, and technical fields used by mail servers.

Header analysis can reveal the true sending IP address, detect forged or spoofed sender information, and show whether authentication checks like SPF, DKIM, and DMARC passed or failed. It also allows you to trace the complete path an email took across mail servers, helping identify anomalies or delays in delivery.

You start by extracting the full header from the raw email source in your email client or server logs. Then, you can manually examine fields such as “Received,” “Return-Path,” and “Authentication-Results,” or use parsing tools to visualize and interpret complex routing data.

Header analysis is a valuable tool for detecting red flags like spoofed domains or unexpected sending IPs, which are common in phishing. However, it’s not foolproof as sophisticated phishing attacks may come from compromised accounts or legitimate infrastructure that passes all technical checks.

Yes, there are many tools that streamline header analysis, including free services like MXToolbox and Cisco Talos Email Reputation. Advanced security platforms like Mesa Security integrate automated header parsing with risk scoring and threat intelligence to flag suspicious messages in real time.

An insider threat is any risk that originates from individuals within an organization—such as employees, contractors, or partners—who have legitimate access to systems or data but misuse it intentionally or unintentionally. This can include data theft, sabotage, accidental exposure of sensitive information, or aiding external attackers.

Insider threats typically fall into three categories: malicious insiders (who intentionally cause harm), negligent insiders (who unintentionally create risk through carelessness), and compromised insiders (whose accounts or credentials are hijacked by external attackers). Each type requires a different detection and response strategy.

Detection often relies on User and Entity Behavior Analytics (UEBA), email and file activity monitoring, and access control audits. Indicators include unusual login times, large data transfers, email forwarding of sensitive files, or changes in normal communication patterns.

Insiders already have authorized access, so their actions don’t always trigger traditional perimeter defenses. Their familiarity with internal systems and workflows allows them to blend in, making it harder to distinguish legitimate use from malicious or negligent behavior without behavioral context.

Prevention strategies include enforcing least privilege access, using DLP and UEBA tools, monitoring email and file activity, conducting regular risk assessments, and educating employees on data handling best practices. Quick onboarding and off-boarding processes and real-time alerting also help reduce exposure to insider risk.