PhishLumos Exposes Hidden Phishing Campaigns Evading Detection

Phishing remains one of cybersecurity’s most stubborn challenges. Humans are tired, distracted, and naturally trusting, making them vulnerable to urgency and authority in ways that even the best awareness training cannot fully address. The security industry has largely accepted this reality and shifted focus to automated detection systems designed to intercept threats before users ever see them.

Attackers have adapted. Modern phishing campaigns now routinely use cloaking techniques that serve harmless content to scanners while delivering malicious pages to real victims, or they block automated retrieval entirely. The very defenses built to compensate for human fallibility are being systematically blinded.

Researchers from Tokyo Metropolitan University have developed PhishLumos, a system that flips the usual approach. Instead of analyzing page content, it treats redirections, inaccessible pages, deceptive layouts, and blank screens as suspicious signals. From there, it pivots to the underlying infrastructure of the URL: the IP addresses it resolves to, the network connections it shares with other domains, the SSL certificates it uses, and traces left in historical scan records.

This allows PhishLumos to reconstruct entire phishing campaigns. It identifies other URLs involved, maps how the campaign is organized, and builds a graph showing which assets are connected and how they relate. That graph is then analyzed by a coordinated team of specialized LLM-powered agents that profile campaigns and generate validated detection rules.

Real-world tests delivered strong results. “On 103 real-world campaigns (6,020 URLs), PhishLumos achieved a median campaign coverage of 100% and a median detection lead time of 192.8 hours (8.0 days) before expert verification, with a 0.1% false positive rate on 1,000 benign URLs,” the researchers reported. In a six-month field study starting from 600 challenging seed URLs, the system’s rules uncovered 192,407 additional URLs. Of those, 92.0% were later flagged as malicious by at least one engine in a multi-engine scanning service.

The approach has limits. Because PhishLumos works by finding connections between URLs that share infrastructure, it struggles when attackers avoid reuse for example, when they rely on throwaway infrastructure. In the real-world study, the system generated detection rules for just over half of the starting URLs. The remaining cases lacked enough shared infrastructure to work with.

The system also depends heavily on external data sources such as web scans, passive DNS records, and certificate logs. Gaps or blind spots in those records can limit how completely it maps a campaign.

PhishLumos is designed to complement existing defenses, not replace them. For cases where it comes up empty, traditional URL scanners and human analysts remain necessary. “PhishLumos is an analyst-facing offline tool for triaging a small number of high-priority seed URLs. It is not designed for line-rate inspection,” the researchers explained. “The campaign-level objective aligns with how phishing operations are organized and how threat intelligence is consumed in practice. Rather than returning a per-URL label, PhishLumos produces reusable mitigation artifacts that directly support workflows such as hunting, blocking, takedown requests, and information sharing.”