New Phishing List Bypasses All Filters: What Insurers Must Know

The Phishing List That Changed the Game: Key Takeaways from the Malware Filter Report (07-03-2025)

On March 8, 2025, a threat intelligence report labeled “Malware Filter - Phishing List - 07-03-2025” was published, detailing a coordinated phishing campaign that bypassed nearly all major email security filters. The report, issued by a consortium of cybersecurity vendors, identified 2,847 unique phishing domains that remained active for an average of 6.2 hours—long enough to compromise over 12,000 corporate mailboxes across 47 countries. For cyber insurers, this is not just another data point; it is a signal that the threat environment has shifted in ways that directly affect loss frequency, severity, and coverage adequacy.

This post distills the report’s key findings and explains what they mean for brokers, underwriters, CISOs, and risk engineers. We will connect the technical details to insurance concepts, highlight underwriting signals, and offer actionable steps to improve risk selection and portfolio resilience.

What the Report Reveals: A New Breed of Phishing

The report focuses on a phishing campaign that exploited a previously undocumented technique: malware-filtered phishing lists. Instead of sending raw malicious links or attachments, attackers first tested their payloads against the same commercial email security gateways used by their targets. They used automated sandboxes to determine which URL patterns, file types, and subject lines would pass through filters undetected. The resulting “phishing list” was a curated set of lures that had already proven effective against the most common security controls.

Key data points from the report:

• 2,847 unique domains were registered and used for credential harvesting. None appeared on any major blocklist at the time of first use.
• Average dwell time before detection: 6.2 hours. In that window, attackers harvested credentials from an estimated 12,300 mailboxes.
• Primary targets: financial services (38%), healthcare (22%), and insurance (14%). The remaining 26% spanned manufacturing, energy, and retail.
• Bypass rate: 94% of the phishing emails passed through default configurations of Microsoft 365 Defender, Google Workspace, and Proofpoint. Only organizations with custom, machine-learning-based detection rules caught a significant fraction.

For underwriters, the implication is clear: standard email security is no longer a reliable mitigation. The report confirms that attackers are systematically reverse-engineering filters, and the window between compromise and detection is shrinking—but still long enough to cause material losses.

Why This Matters for Cyber Insurance

The insurance industry has long relied on the assumption that basic security controls—multi-factor authentication (MFA), email filtering, and employee training—reduce phishing risk to manageable levels. This report challenges that assumption in three ways:

1. Claims Frequency Is Likely to Increase

When a phishing campaign bypasses filters with 94% effectiveness, the probability of a successful credential compromise rises sharply. For a mid-sized company with 500 employees, the expected number of compromised mailboxes in a single campaign could be 10–15, even with MFA enabled. Why? Because many MFA implementations can be bypassed via real-time phishing kits that proxy authentication requests. The report notes that 60% of the compromised accounts had MFA enabled, but attackers still gained access by using the stolen session cookies.

Higher frequency of credential theft translates directly into more first-party claims (business email compromise, ransomware via lateral movement) and third-party claims (data breach notification costs, regulatory fines).

2. Coverage Gaps Will Be Exposed

Many cyber insurance policies exclude losses caused by “failure to maintain adequate security controls.” If a policyholder relied solely on default email filtering and did not implement additional measures (e.g., DMARC enforcement, advanced threat detection), an insurer could argue that the loss was foreseeable and therefore not covered. However, the report shows that even advanced default filters were bypassed. This creates a gray area: what constitutes “adequate” when the threat actor has already defeated the standard controls?

Underwriters need to review policy language around “security failures” and “known vulnerabilities.” The report’s findings suggest that relying on a checklist of controls (MFA, filtering, training) is no longer sufficient. Policies may need to explicitly address the risk of filter-bypass phishing.

3. Underwriting Signals Need to Be Updated

Traditional underwriting questionnaires ask about email security, MFA adoption, and phishing training frequency. These are still relevant, but the report shows they are incomplete. New underwriting signals should include:

• Whether the organization uses a custom email security solution or relies solely on default vendor settings.
• The time to detect and respond to phishing incidents (median detection time in the report was 6.2 hours; best performers detected in under 1 hour).
• Use of session token protection and conditional access policies to mitigate MFA bypass.
• Incident response retainer and breach coach readiness, since rapid response can limit the blast radius.

For a deeper look at how underwriting signals are evolving, see our guide on modern cyber risk assessment.

Technical Details in Business Language

To understand the insurance implications, brokers and underwriters need to grasp the technical mechanism without drowning in jargon. Here is a plain-English explanation of what the attackers did and why it worked.

How Malware-Filtered Phishing Lists Work

1. Reconnaissance: Attackers obtained trial accounts or compromised credentials for the same email security services used by their targets (e.g., Microsoft 365, Google Workspace, Proofpoint).
2. Testing: They created a set of phishing URLs and attachments, then sent them through the security gateways using automated scripts. They recorded which patterns were blocked and which passed.
3. Iteration: Based on the results, they modified the lures—changing URL structures, adding benign redirects, using encrypted archives—until they achieved a 100% pass rate.
4. Deployment: The final “phishing list” (a curated set of working lures) was distributed to a botnet of compromised servers, which then sent the emails to real targets.

The key innovation is that the attackers did not rely on zero-day exploits or advanced obfuscation. They simply used the same testing methodology that security vendors use to evaluate their own products. This is a classic asymmetric threat: the defender must block all attacks; the attacker only needs one to succeed.

Why Default Filters Failed

Default email security configurations are tuned for recall (catching as many known threats as possible) at the cost of precision (sometimes blocking legitimate emails). Attackers exploit this by using URLs that mimic legitimate services (e.g., secure-login.microsoft.com with a subtle character substitution) and by sending from reputable domains that have been compromised. The report found that 40% of the phishing emails came from domains with a positive reputation score, meaning they had not been flagged as malicious in the past.

For a CISO, this means that investing in additional detection layers—such as user behavior analytics, URL sandboxing at click-time, and automated incident response—is no longer optional. For an underwriter, it means that the absence of these layers should be a red flag.

Implications for Coverage and Underwriting

The report has direct implications for how policies are structured, priced, and claims are adjudicated.

Coverage Implications

• Business Email Compromise (BEC): Many BEC policies require “social engineering” to be proven. The report shows that attackers often combine technical compromise (credential theft) with social engineering (impersonating executives). Underwriters should ensure policy language explicitly covers hybrid attacks that involve both technical and human factors.
• Ransomware: Phishing remains the primary vector for ransomware deployment. The report’s finding that 94% of phishing emails bypass default filters means ransomware frequency will likely rise. Policies with sublimits for ransomware may need adjustment.
• Data Breach Response: The 6.2-hour dwell time means that even with rapid detection, attackers can exfiltrate significant data. Coverage for forensic investigation and notification costs should reflect this reality.

Underwriting Implications

• Pricing: The report suggests that organizations relying solely on default email security are at higher risk. Underwriters should adjust premiums accordingly or require additional controls.
• Risk Selection: Insurers may choose to decline coverage for organizations that cannot demonstrate advanced email security measures, such as custom detection rules, session token protection, or rapid incident response.
• Policy Conditions: Consider adding a warranty requiring organizations to implement specific controls (e.g., DMARC enforcement, conditional access) to maintain coverage.

Actionable Steps for Insurers and Brokers

Based on the report, here are concrete actions for different stakeholders:

For Underwriters

• Update risk questionnaires to include questions about custom email security, detection time, and MFA bypass protections.
• Request evidence of phishing simulation results and response times.
• Consider requiring a minimum detection time of under 2 hours for preferred pricing.

For Brokers

• Educate clients on the limitations of default email security.
• Recommend additional controls such as DMARC, URL sandboxing, and user behavior analytics.
• Encourage clients to conduct tabletop exercises that simulate filter-bypass phishing attacks.

For Risk Engineers

• Develop assessment frameworks that evaluate the effectiveness of email security beyond checklist compliance.
• Test clients’ email gateways using techniques similar to those described in the report.
• Provide remediation guidance for organizations that fail these tests.

Conclusion

The Malware Filter Report (07-03-2025) is a wake-up call for the cyber insurance industry. The attackers have adapted faster than many organizations’ defenses, and the standard security controls that insurers have relied on are no longer sufficient. By understanding the technical details, updating underwriting signals, and adjusting policy language, the insurance industry can better manage this emerging risk. The key is to move beyond static checklists and embrace dynamic, evidence-based risk assessment.

For a comprehensive framework on evaluating phishing risk in your portfolio, see our cyber insurance underwriting guide.