Phishing & Social Engineering
What Is Bulk Phishing?
Bulk phishing is a mass-scale social engineering attack in which cybercriminals send deceptive emails to hundreds, thousands, or millions of recipients with the goal of compromising as many victims as possible.
Bulk phishing is a mass-scale social engineering attack in which cybercriminals send deceptive emails to hundreds, thousands, or millions of recipients with the goal of compromising as many victims as possible. Unlike targeted spear phishing that researches individual victims, bulk phishing relies on a "wide net" approach, counting on statistical probability that a small percentage of recipients will fall victim. Bulk phishing messages are typically generalized, lacking personalization or company-specific details, and are often distributed using automation tools and phishing kits sold on dark web marketplaces. The success of bulk phishing depends on volume—even with low click-through rates, a campaign targeting one million recipients with a 1% success rate compromises 10,000 users.
How does bulk phishing work?
Bulk phishing attacks follow a standardized operational framework from kit acquisition through campaign execution.
Stage 1: Phishing Kit Acquisition
Attackers obtain phishing kits from dark web forums or private Telegram channels. These are pre-built software packages containing:
Email templates mimicking legitimate brands (banks, e-commerce, services)
HTML phishing page builders
Credential harvesting infrastructure
Email distribution scripts
Domain spoofing tools
CAPTCHA bypass and geolocation filtering modules
Phishing kits range in price from USD 50 (basic templates) to USD 900 (advanced, AI-powered kits with MFA bypass capabilities). Phishing-as-a-Service (PhaaS) platforms operate on subscription models offering recurring access and updates, typically ranging from USD 100-500 per month. Advanced offerings include InboxPrime AI, EvilProxy, Typhoon, and Tycoon 2FA (Flare, 2026).
Stage 2: Email List Acquisition
Attackers obtain email addresses through multiple sources:
Purchased data breaches from dark web marketplaces
Scraped email lists from public sources (LinkedIn, business directories)
Leaked corporate email databases
Generic bulk email lists generated through pattern matching (e.g., firstname.lastname@company.com)
Attackers purchase these email lists from cybercriminal markets at costs ranging from USD 0.001 to USD 0.01 per address, making large-scale campaigns economically viable even with low success rates.
Stage 3: Campaign Automation
Using phishing kits, attackers:
Generate thousands of emails with minimal customization
Rotate sender addresses and domains to evade detection
Embed phishing links or attachments (PDFs, SVGs, HTML smuggling)
Specify geolocation filters (e.g., "target North America only")
Set delivery schedules and tracking
Monitor open rates, click-through rates, and credential submissions
Mass Distribution Characteristics
Bulk phishing campaigns employ several characteristic techniques:
Generic Messaging: Emails lack personal details, company names, or job titles. Messages often contain typos, poor grammar, and amateur design—indicators users should recognize.
Broad Targeting: Sent to purchased email lists with minimal segmentation.
High Volume: Hundreds of thousands to millions of emails per campaign.
Low Success Rates Compensated by Scale: Even with 1% click-through rate, a campaign targeting 1 million recipients compromises 10,000 users.
Hybrid Phishing: The Evolution of Bulk Attacks
A new trend combines bulk and spear phishing techniques, documented by Kaspersky researchers (2024). This "hybrid phishing" approach represents significant tactical evolution:
AI-Powered Personalization: Threat actors use AI tools to add targeted elements (recipient name, company name, HR department references) to bulk email campaigns. Despite personalized message text, the underlying phishing pages lack company-specific branding—revealing the bulk nature of the operation.
Ghost Spoofing: Attackers add corporate email addresses to sender names while maintaining unauthorized sender domains.
Scale and Automation: This approach enables attackers to achieve personalization at scale without individual research per target. From March to May 2024, Kaspersky observed a surge in hybrid campaigns impersonating HR departments with company-specific recipient names but generic phishing forms.
This evolution demonstrates attackers' adaptation to increased user awareness—hybrid phishing tricks both humans (who see personalized email) and email filters (which now see legitimate-looking content).
How does bulk phishing differ from other phishing techniques?
Aspect | Bulk Phishing | Spear Phishing | Targeted Attacks | Whaling |
|---|---|---|---|---|
Target Selection | Indiscriminate, mass lists | Researched individuals | Specific user/role | C-suite/executives |
Personalization | Minimal/generic | High (names, details) | Very high (custom research) | Very high (executive-specific) |
Email Volume | 100,000s–1,000,000s | 10s–100s | Dozens | 1–10 |
Message Design | Generic templates | Tailored to individual | Custom crafted | Executive-level lures |
Success Rate | 0.1–1% | 1–10% | 5–15% | 10–20% |
Cost per Victim | $0.001–0.01 | $0.10–1.00 | $1–10 | $10–100 |
Primary Objective | Credential theft, malware | Data theft, APT access | Espionage, ransomware | Financial fraud, access |
Attacker Profile | Low-skill cybercriminals, PhaaS users | Intermediate skill, organized groups | Advanced threat actors | Nation-state, organized crime |
Detection Difficulty | Low–Medium (signature-based) | High (targeted content) | Very High (custom tactics) | Very High (inside knowledge) |
Why does bulk phishing matter?
Bulk phishing remains the most widespread phishing attack type, affecting organizations across all sectors. Bulk phishing was the most widespread type of phishing scam in 2023, affecting around 86% of companies worldwide (Keepnet Labs, 2023). An estimated 3.4 billion spam emails are sent daily; Google alone blocks approximately 100 million phishing emails per day.
Volume metrics indicate persistent high-scale threat activity. The Anti-Phishing Working Group recorded 1,003,924 phishing attacks in Q1 2025—the largest quarterly volume since late 2023 (APWG, 2025). While global phishing volume dropped 20% in 2024, targeted attacks increased during the same period, indicating attackers shifted toward higher-value targets while maintaining baseline bulk phishing operations.
Commodity attacks (mass-produced, brand-impersonating campaigns) represent a significant portion of phishing threats. Peak activity showed commodity attacks comprised 13.6% of all phishing emails in December 2023 (Egress Defend, 2023). During a commodity phishing campaign, organizations experience a 2,700% increase in phishing attacks compared to their normal baseline (Egress, 2025)—this surge overwhelms traditional email filters designed for baseline attack rates.
User susceptibility metrics indicate ongoing vulnerability despite awareness efforts. Globally, 10.4% of employees clicked on malicious links in phishing emails, and over 60% of those who clicked subsequently submitted passwords on phishing pages. Mobile-focused campaigns show higher success rates as mobile users rely more heavily on trust indicators and scrutinize sender addresses less carefully.
The phishing kit economy demonstrates accessibility of attack tools. Flare analyzed 8,627 distinct underground posts tied to phishing kits; 3,130 posts (36.3%) reflected high-confidence real threat activity, with another 20.5% showing suspected-real operational intent. This commoditization enables even low-skill attackers to launch large-scale campaigns, increasing overall phishing volume.
What are the limitations of bulk phishing?
Despite prevalence, bulk phishing faces several constraints creating defensive opportunities.
Signature Evasion Costs
Bulk campaigns require constant obfuscation (URL shorteners, domain rotation, encoding) to evade email filters. Each wave of security updates forces attackers to adapt infrastructure and encoding schemes. This creates an ongoing maintenance burden, increasing cost per campaign.
Email Deliverability Issues
Many bulk emails are caught by spam filters before reaching users. Authentic-looking senders and domains require investment in infrastructure and reputation building. ISPs and email providers implement rate limits and block large volumes of emails from new/suspicious sources, reducing campaign reach.
Shared Infrastructure Detection
Phishing kits often reuse hosting infrastructure, domain registrars, and email distribution networks. Security researchers use infrastructure-level detection to identify and block campaigns, disrupting ongoing operations.
Low Skill Entry Barrier Creates Poor Quality
The availability of cheap phishing kits enables low-skill attackers, flooding the market with poor-quality campaigns easily detected through typos, grammatical errors, and design inconsistencies. This increases baseline detection rates across the industry.
Diminishing Returns from Ubiquity
As bulk phishing becomes ubiquitous, users become more aware of phishing indicators. Click-through rates may decline as awareness increases and email filters improve.
Attribution and Law Enforcement Risk
Bulk campaigns leave forensic trails (email headers, phishing page logs, payment records). Law enforcement can correlate multiple campaigns to identify and arrest threat actors, increasing operational risk for attackers.
How can organizations defend against bulk phishing?
Organizations can implement email gateway, endpoint, and user-level controls to defend against bulk phishing.
Email Gateway and Network Controls
Deploy advanced email gateways with machine learning-based spam/phishing detection. Configure aggressive filtering for bulk sender IPs and suspicious domains. Implement DMARC (Domain-based Message Authentication, Reporting & Conformance) with "reject" policy, SPF (Sender Policy Framework), and DKIM (DomainKeys Identified Mail) to prevent sender spoofing.
Deploy email gateways that scan embedded URLs for known phishing pages and detonate suspicious links in sandboxes before delivery. Block or sandbox suspicious attachment types (HTML, SVG, PDF with links); analyze in isolated environments. Use threat intelligence integration with feeds of known phishing domains, phishing infrastructure, and malicious IP addresses to block campaigns at scale.
Endpoint and User-Level Controls
Deploy browser isolation technology that renders potentially malicious web pages in isolated containers, preventing credential theft or malware download. Encourage use of password managers with phishing-detection features that warn when credentials are entered on suspicious domains.
Mandate multi-factor authentication (MFA) for all accounts, especially email and critical systems. This severely limits damage from credential compromise via phishing. Implement single sign-on (SSO) with strong authentication (FIDO2, push notifications) to centralize and monitor login attempts; detect suspicious login patterns.
User and Organizational Defenses
Conduct regular, role-based phishing training to reduce click-through rates by 50%+ in mature programs. Training should include:
Recognizing generic messaging and lack of personalization
Verifying sender addresses (not just display names)
Identifying typos, poor grammar, and design inconsistencies
Reporting suspicious emails to the security team
Conduct internal phishing simulations to measure user awareness and identify high-risk users for additional training. Implement easy "Report Phishing" buttons in email clients; automate analysis and blocking of reported emails. Establish rapid containment procedures if bulk phishing credential compromise is detected; force password resets and flag affected accounts for monitoring.
Network and Monitoring
Monitor for unusual login patterns (new geographies, devices, times) indicating credential compromise; flag and require re-authentication. Alert on unusual outbound email volumes from user accounts that might indicate account compromise. Monitor for DNS queries to known phishing domains or suspicious infrastructure; block at DNS level.
Share phishing indicators (URLs, domains, sender IPs) with industry peers and ISPs to enable rapid, coordinated blocking.
FAQs
How is bulk phishing different from spam, and why do I keep receiving it?
Bulk phishing is a subset of spam—but with a malicious objective. Spam is unsolicited commercial email; phishing is deceptive email designed to steal credentials or install malware. You receive bulk phishing because:
Your email address was leaked in a data breach
Your email was scraped from public sources (LinkedIn, company websites)
Your email matches a common naming pattern (firstname.lastname@company.com)
You are on a purchased email list from dark web marketplaces
Attackers do not target you specifically—they send to millions hoping a small percentage fall victim. This is a numbers game: 1 million emails with 1% click rate equals 10,000 victims (Flare, 2026; Kaspersky Securelist, 2024).
What is the difference between traditional bulk phishing and the new hybrid approach?
Traditional Bulk Phishing:
- Completely generic email ("Dear Customer...")
- No personalization
- Easy to recognize as phishing
Hybrid Phishing (New Trend, 2024):
- Uses AI to add your name, company name, job title
- References specific HR department or business context
- Email appears highly targeted and personalized
- But underlying phishing page is generic (lacks company branding)
- Attackers can automate this at scale using PhaaS platforms
This hybrid approach tricks both humans (who see personalized email) and email filters (which now see legitimate-looking content). It represents phishing's evolution toward increased sophistication and difficulty of detection (Kaspersky Securelist, 2024).
How much does a phishing kit cost, and where do attackers get them?
Phishing kits are sold on:
Dark web forums (e.g., AlphaBay-style marketplaces)
Private Telegram channels (more exclusive, higher-quality kits)
Pricing: - Basic kits: USD 50-100 (simple email templates, credential harvesting) - Intermediate kits: USD 200-400 (includes domain rotation, tracking, obfuscation) - Advanced kits (PhaaS): USD 100-500/month (AI-powered personalization, MFA bypass, guaranteed deliverability)
Advanced Examples (2025): - InboxPrime AI: AI-powered email generation, near-perfect deliverability - EvilProxy: Reverse-proxy for credential and MFA token theft - Tycoon 2FA: Specialized in bypassing 2FA systems
This commoditization of phishing tools enables even low-skill attackers to launch large-scale campaigns, increasing overall phishing volume (Flare, 2026; Kaspersky Securelist, 2024; Dark Reading, 2025).
What is the "2,700% increase" in phishing attacks during commodity campaigns?
During a major commodity phishing campaign (typically brand-impersonating and broadly targeted), organizations see a 2,700% spike in phishing emails compared to their normal baseline. This happens because:
Attackers send the same campaign to millions of recipients across all industries
Many emails reach your organization by statistical chance
The volume overwhelms traditional email filters
Detection systems get flooded and may miss legitimate emails while processing the flood
Example: An organization normally receives 100 phishing emails/day. During a commodity campaign targeting "all banking customers," they might receive 2,800 phishing emails in a single day. This is why commodity campaigns are so dangerous—the sheer volume bypasses defenses designed for lower baseline rates (Egress, 2024-2025).
How do I protect myself and my organization from bulk phishing?
Individual Level:
Never click links in unexpected emails—navigate to sites manually or use bookmarks
Verify sender address in full (not just display name)
Look for generic greetings ("Dear Customer") vs. your real name
Hover over links to see actual URL (not shortened or spoofed)
Report suspicious emails to your security team
Enable MFA on all critical accounts
Organizational Level:
Deploy advanced email filtering with machine learning
Implement DMARC/SPF/DKIM to prevent spoofing
Regular security awareness training (reduces click rate by 50%+)
Mandate MFA for all accounts
Conduct internal phishing simulations to identify high-risk users
Monitor for anomalous login patterns indicating credential compromise
Share threat intelligence with peers and ISPs
The most effective defense combines technology (email filters, MFA) with people (user awareness and training) (CISA, 2023; Egress, 2024; Kaspersky Securelist, 2024; IBM, 2024).
