How to Reduce Content Evasion Phishing

How to Reduce Content Evasion Phishing Emails Reaching User Inboxes

Why This Matters

You're here because a user clicked on what looked like a legitimate link, but it redirected through URL shorteners, QR codes, or brand impersonation landing pages. Or maybe they received an email with an image of text instead of actual text. A visual trick that bypasses content scanners. Content evasion techniques deliberately obscure malicious intent from automated security filters.

The business impact is credential compromise and data theft. Attackers use link-wrapping services (bit.ly, tinyurl.com, legitimate marketing platforms), inject invisible text that confuses AI scanners, generate QR codes that redirect to phishing sites, or embed entire phishing pages as images. When filters scan for "password reset" keywords or malicious URLs, these techniques hide the attack in plain sight.

Google Workspace's native controls struggle with content evasion. Basic spam filtering can't analyze redirected URLs before delivery. Enhanced Safe Browsing helps but has gaps.QR codes aren't automatically scanned, image-based phishing requires OCR that isn't consistently applied, and legitimate link-wrapping services used for attacks are rarely blocked. This guide shows you what works, what doesn't, and where you'll need compensating controls.

Quick Assessment

Answer these questions to assess your current risk:

  1. Has Enhanced Safe Browsing been enabled?

    • Where to check: Admin Console → Apps → Google Workspace → Gmail → Safety (scroll to "Enhanced malware and phishing protection")
    • What to look for: "Turn on Enhanced Safe Browsing for Gmail" should show "On" status
    • Why it matters: This feature performs deeper link analysis including following redirects and scanning final destinations. Without it, content evasion techniques bypass all native protections

  2. Are you using advanced link protections (if available)?

    • Where to check: Admin Console → Apps → Google Workspace → Gmail → Safety (scroll to "Links and external images")
    • What to look for: "Identify links behind short URLs" should be checked
    • Why it matters: This expands shortened links before delivery and displays warnings for suspicious destinations

  3. Are users reporting phishing attempts with suspicious links or QR codes?

    • Where to check: Admin Console → Security → Dashboard → Email (scroll to "User-reported spam")
    • What to look for: Review the last 7 days. Look for reports mentioning "link," "QR code," "scan," or "parking ticket" in user descriptions (if visible)
    • Why it matters: User reports indicate content evasion techniques are bypassing filters and reaching inboxes

  4. What percentage of quarantined messages are flagged for phishing?

    • Where to check: Admin Console → Reports → Email log search → Filter by "Message disposition: Spam/Quarantine" and "Reason: Phishing"
    • What to look for: Run a search for the last 7 days. Note the volume
    • Why it matters: Low quarantine volume despite user reports suggests filters aren't catching evasion techniques

  5. Are external images blocked by default?

    • Where to check: Admin Console → Apps → Google Workspace → Gmail → Safety (scroll to "Links and external images")
    • What to look for: "External images" should be set to "Ask before displaying external images"
    • Why it matters: Blocking external images prevents tracking pixels and reduces risk from image-based phishing (where malicious text is embedded in images)

Available Controls

Google Workspace provides these native controls for content evasion protection:

Control Business Starter Business Standard/Plus Enterprise Standard/Plus Notes
Basic spam filtering Does not analyze redirect chains or image content
Enhanced Safe Browsing Follows redirects, scans final destinations, limited to known threats
Identify links behind short URLs Expands shortened links, shows warnings for suspicious destinations
Security Sandbox ✓ (Plus only) Virtual environment analysis for attachments, not email body images
Custom spam rules Partial Can block specific URL shorteners or image-heavy emails
Attachment scanning Scans attachments for malicious content, but not inline images

Key Limitations:

  • QR code scanning is not natively supported. Emails with QR codes linking to phishing sites will bypass link analysis.
  • Image-based phishing (text embedded in images) is not reliably detected. OCR is not consistently applied to inline images as of Feb 2026.
  • AI-generated text variations (subtle character substitutions, invisible Unicode, prompt injection attempts) can evade keyword-based filters.
  • Link-wrapping services used by legitimate vendors (bit.ly, SendGrid redirects, marketing platforms) are difficult to block without disrupting business-critical email.
  • Brand impersonation landing pages (fake Microsoft/Google login pages) are only caught if they're in Google's known threat database. Newly created sites may pass through.

If you're on Business Starter, you're limited to basic spam filtering with no redirect analysis. Upgrading to Business Standard/Plus unlocks Enhanced Safe Browsing and link expansion. Enterprise Plus adds Security Sandbox (for attachments only, not inline images).

Implementation Guide

Phase 1: Quick Wins (< 1 hour)

These changes are safe, reversible, and provide immediate improvements against common evasion techniques.

1. Enable Enhanced Safe Browsing

  • Path: Admin Console → Apps → Google Workspace → Gmail → Safety (scroll to "Enhanced malware and phishing protection")
  • Setting: "Turn on Enhanced Safe Browsing for Gmail"
  • Recommended value: Enabled for all users or a pilot group first
  • Impact: Gmail will follow redirect chains, scan final destination URLs, and apply additional heuristics for suspicious patterns before delivery
  • Rollback: Disable for specific organizational units (OUs) if delivery delays occur
  • Testing: Send a test email with a bit.ly link pointing to a known phishing simulation site. It should be flagged or quarantined
  • Constraints: Cannot be used if client-side encryption (CSE) is enabled

2. Enable link expansion for short URLs

  • Path: Admin Console → Apps → Google Workspace → Gmail → Safety (scroll to "Links and external images")
  • Setting: "Identify links behind short URLs"
  • Recommended value: Enabled (checkbox on)
  • Impact: Gmail will expand shortened URLs and display the final destination domain to users. If the destination is suspicious, a warning banner appears.
  • Rollback: Uncheck to disable
  • Testing: Send a test email with a bit.ly or tinyurl.com link. Hover over it in the Gmail UI to see the expanded destination
  • What might break: Nothing.this is user-facing only and doesn't block email

3. Enable external image warnings

  • Path: Admin Console → Apps → Google Workspace → Gmail → Safety (scroll to "Links and external images")
  • Setting: "External images" → Select "Ask before displaying external images"
  • Recommended value: "Ask before displaying external images" (images won't load automatically)
  • Impact: Users must click "Display images" to see external content. This prevents tracking pixels and reduces risk from image-based phishing.
  • Rollback: Change to "Allow external images to load automatically" if users complain
  • Testing: Send a test email with an externally hosted image. Recipient should see "Images are hidden" message
  • What might break: Email signatures with hosted logos won't display automatically; newsletters will look broken until users approve

Phase 2: Configuration Hardening (1-4 hours)

These changes require testing and may disrupt legitimate workflows. Pilot with a small group first.

4. Create custom spam rules to block known URL shorteners (if available)

  • Path: Admin Console → Apps → Google Workspace → Gmail → Compliance (or "Advanced settings" in older interfaces)
  • Setting: "Content compliance" → Add rule
  • Rule configuration:
    • Name: "Block high-risk URL shorteners"
    • Condition: "If ANY of the following match the message"
      • "Advanced content match" → Location: BodyMatch type: Contains text → Expressions:
        • bit.ly
        • tinyurl.com
        • goo.gl
        • ow.ly
        • t.co (if your org doesn't use Twitter/X for business comms)
    • Action: "Modify message" → "Add custom subject" (prepend [SHORTENED LINK] to subject line) OR "Quarantine message"
  • Impact: Emails with these URL shorteners will be flagged or blocked. Start with subject line modification to assess false positive rate.
  • Rollback: Edit rule to disable or delete it
  • Testing: Send test emails with each shortener to verify rule triggers
  • What might break: Marketing emails, vendor communications, or social media notifications using shorteners will be affected

5. Create custom spam rules to flag image-heavy emails with minimal text (Enterprise only)

  • Path: Admin Console → Apps → Google Workspace → Gmail → Compliance
  • Setting: "Content compliance" → Add rule
  • Rule configuration:
    • Name: "Flag image-only phishing attempts"
    • Condition: This requires manual testing.Google Workspace does not natively calculate image-to-text ratios
    • Workaround: Use "Advanced content match" to detect common image-phishing keywords in sender domains or subject lines (e.g., "invoice," "payment," "urgent") combined with external sender conditions
  • Impact: Limited effectiveness. This is a partial mitigation only
  • Rollback: Disable rule
  • What might break: Legitimate supplier invoices sent as PDF images may be flagged
  • Limitations: This control is not reliable for true image-based phishing. Consider third-party email security solutions if this is a major threat.

6. Restrict attachment types commonly used for evasion (if applicable)

  • Path: Admin Console → Apps → Google Workspace → Gmail → Safety (scroll to "Attachments")
  • Setting: "Protect against encrypted attachments from untrusted senders"
  • Recommended value: Enabled
  • Impact: Blocks password-protected ZIP files and encrypted attachments from external senders (common for delivering malware payloads that evade scanners)
  • Rollback: Disable if legitimate vendors send encrypted files
  • Testing: Send a test email with a password-protected ZIP from an external account. It should be quarantined
  • What might break: Vendors sending sensitive documents in encrypted ZIPs will need alternate delivery methods (secure file sharing links)

7. Enable malware scanning with dynamic email analysis (if available)

  • Path: Admin Console → Apps → Google Workspace → Gmail → Safety (scroll to "Enhanced malware and phishing protection")
  • Setting: "Apply future recommended settings automatically"
  • Recommended value: Enabled (opt-in to new protections as Google rolls them out)
  • Impact: Gmail will automatically enable new machine learning models and detection techniques without requiring manual admin updates
  • Rollback: Disable to manually control when new protections are applied
  • Testing: No immediate change. This is forward-looking
  • Constraints: You lose control over what protections are enabled and when. If a new feature causes false positives, you'll need to react instead of proactively testing.

Phase 3: Ongoing Monitoring

8. Review quarantined messages for QR code and image-based phishing weekly

  • Path: Admin Console → Reports → Email log search
  • What to check: Search for messages quarantined with "phishing" disposition. Manually review a sample for QR codes or image-only content.
  • Action: If you find QR code phishing reaching inboxes, document the pattern and evaluate third-party email security tools with QR scanning capabilities.
  • Frequency: Weekly for first month, then monthly

9. Monitor user-reported phishing attempts

  • Path: Admin Console → Security → Dashboard → Email (scroll to "User-reported spam")
  • What to check: Look for patterns. Are users reporting emails with shortened links? QR codes? Image-only content?
  • Action: If a specific evasion technique is consistently reported, create custom spam rules or user training to address it.
  • Frequency: Weekly

10. Test phishing simulations with content evasion techniques

  • Where: Use a free phishing simulation tool (e.g., Gophish self-hosted) or a vendor service
  • What to test:
    • Send test emails with shortened URLs (bit.ly, tinyurl)
    • Send test emails with QR codes linking to fake login pages
    • Send test emails with text embedded in images (no body text)
  • Action: Measure what percentage reaches inboxes. If >30% bypass filters, escalate the gap to leadership and evaluate additional security investments.
  • Frequency: Quarterly

Tradeoffs & Constraints

False Positive Risk:

  • Blocking URL shorteners will disrupt legitimate marketing emails, social media notifications, and vendor communications. Start with flagging (subject line modification) instead of blocking to assess impact.
  • External image blocking breaks email signatures, newsletters, and branded vendor communications. Users will need to manually approve images for trusted senders.
  • Encrypted attachment blocking will prevent vendors from sending password-protected documents. You'll need to provide alternate secure file-sharing methods (Google Drive, Dropbox links).

User Experience Impact:

  • Link expansion warnings are user-facing only. They don't prevent email delivery. Users may ignore warnings, especially if they're accustomed to clicking shortened links.
  • External image blocking requires user action to display content. Expect complaints from sales, marketing, and exec teams who rely on visual email content.

License Dependencies:

  • Business Starter users: You're limited to basic spam filtering with no link analysis or redirect following. Upgrade to Business Standard/Plus to unlock Enhanced Safe Browsing and link expansion.
  • Enterprise Plus only: Security Sandbox provides virtual environment analysis for attachments but does NOT analyze inline images or email body content.

Maintenance Overhead:

  • Custom spam rules for URL shorteners require ongoing updates. Attackers rotate between dozens of shortening services. Your blocklist will never be exhaustive.
  • Allowlists for legitimate shorteners (used by trusted vendors) require manual curation. Expect to spend 1-2 hours/month reviewing false positives.

Limitations of Native Controls:

  • QR codes are not scanned as of Feb 2026. Emails with QR codes linking to phishing sites bypass all native Google Workspace protections. This is a critical gap.
  • Image-based phishing (text in images, no body text) is not reliably detected. OCR is not consistently applied to inline images.
  • AI-generated evasion (prompt injection, subtle character substitutions like replacing 'o' with '0') can bypass keyword filters. Machine learning models improve over time but aren't foolproof.
  • Brand impersonation landing pages are only caught if they're in Google's threat database. Newly created phishing sites (active for <24 hours) often bypass detection until reported and added.
  • Link-wrapping by legitimate services (SendGrid, Mailchimp redirects) makes it difficult to differentiate malicious from benign without breaking vendor communications.

Validation & Monitoring

Immediate Validation (First 24 Hours)

  1. Enhanced Safe Browsing: Send a test email with a shortened URL pointing to a known phishing simulation site. It should be quarantined or flagged with a warning banner.
  2. Link expansion: Send a test email with a bit.ly link. Hover over the link in Gmail.the expanded destination should appear in a tooltip.
  3. External image blocking: Send a test email with an externally hosted image. Recipient should see "Images are hidden" message with a "Display images" button.
  4. Custom spam rules: Send test emails matching your rule conditions (e.g., bit.ly in body). Verify the action triggers (subject line modification or quarantine).

Ongoing Monitoring

  • Weekly (first month): Check email log search for quarantined messages. Review a sample for QR codes, image-only content, or shortened links. Document patterns.
  • Weekly (first month): Review user-reported phishing attempts in Security Dashboard. Look for evasion techniques bypassing filters.
  • Quarterly (ongoing): Run phishing simulations with content evasion techniques (shortened URLs, QR codes, image-only emails). Measure bypass rate.

Success Metrics

After 30 days of full implementation, you should see:

  • Enhanced Safe Browsing effectiveness: >70% of test phishing emails with shortened URLs caught by filters (check via simulation)
  • User-reported phishing rate: Steady or increasing (indicates users are vigilant and filters aren't 100% effective. This is expected)
  • QR code phishing bypass rate: Document baseline. If >50% of QR code tests reach inboxes, this is a known gap requiring compensating controls.
  • False positive rate: <5% of legitimate emails with shortened links incorrectly flagged (check email log search and user complaints)

If your bypass rate for QR code or image-based phishing is >50% after implementing all controls, native Google Workspace protections are insufficient. Document the gap, assess threat likelihood for your organization (are users receiving QR code phishing?), and evaluate whether additional security investments are warranted.

Related Resources