Let's get one thing straight: Gmail's spam filter is genuinely impressive. So is Outlook's. Between them, they block billions of malicious emails every day. Google reports that Gmail blocks more than 99.9% of spam, phishing, and malware from reaching your inbox.
So why are people still getting phished?
Because that 0.1% represents millions of emails daily. And more importantly, the attacks that make it through aren't the sloppy ones with broken English and obvious scam links. They're the sophisticated ones — the ones specifically designed to pass the filters your email provider uses.
Here's what Gmail, Outlook, and Yahoo genuinely cannot protect you from, and why.
1. Spear phishing that passes SPF, DKIM, and DMARC
SPF, DKIM, and DMARC are the three pillars of email authentication. They verify that an email genuinely came from the domain it claims to come from. Your email provider checks all three.
But here's the gap: these protocols only verify the sending infrastructure, not the intent.
A spear phishing email sent from a legitimate, properly configured domain will pass all three checks perfectly. And attackers have figured this out. They:
Register lookalike domains (
arnazon.com,paypa1.com) and set up proper SPF, DKIM, and DMARC records for them. The email is technically "authenticated" — it genuinely came from that domain. Your provider's authentication check passes because the email is from the domain it claims to be from. It's just that the domain is designed to deceive you.Use compromised email accounts at legitimate organisations. If an attacker gains access to a real employee's email at a real company, every email they send passes authentication flawlessly. There's nothing to flag — it's genuinely coming from that company's mail servers.
Exploit legitimate email services. Attackers send phishing through services like SendGrid, Mailchimp, or even Google's own infrastructure. The emails authenticate properly because they're sent through legitimate platforms. Google isn't going to flag emails sent via its own Google Workspace as suspicious.
In 2024, Egress reported that 84.2% of phishing attacks passed DMARC authentication — one of the most common authentication checks used in secure email gateways. The vast majority of phishing that reaches inboxes is technically "authenticated." These aren't edge cases.
2. Business email compromise (BEC) — the billion-dollar blind spot
Business email compromise is the most financially damaging form of cybercrime in the world. The FBI's IC3 reported $2.9 billion in BEC losses in 2023 — more than ransomware, more than any other category.
And email providers are structurally unable to prevent it.
Here's why: BEC attacks typically involve a real, compromised email account sending emails to people who know and trust the sender. There's nothing technically wrong with the email. It comes from the right domain, the right IP, the right person. The content is just... a lie.
The classic scenario: a CEO's email gets compromised. The attacker monitors emails for a few weeks, learns the company's communication style, identifies who handles finances, and then sends a request to the CFO:
"Hi Sarah, can you process a wire transfer for the Henderson acquisition? £340,000 to the account details attached. Time-sensitive — let's get this done today. I'm in meetings all afternoon so email is best."
This email has:
- No malicious links
- No malicious attachments
- Perfect grammar (often written by native speakers or carefully edited)
- Correct sender address
- Valid SPF/DKIM/DMARC
- Appropriate context and tone
What's your spam filter supposed to flag? There's nothing technically wrong with it. The attack is entirely social — it exploits trust, authority, and urgency. No link scanner or malware detector will catch an email that's literally just a polite request from a real account.
3. Social engineering without payloads
Modern phishing has evolved beyond malicious attachments and dodgy links. The smartest attackers send emails with no payload at all — no links, no attachments, just words.
The callback scam: You receive an email about a subscription renewal you didn't make. "Your Norton antivirus subscription has been renewed for £349.99. If you did not authorise this charge, call our support team at 0800-XXX-XXXX." There's no link to scan. No attachment to sandbox. Just a phone number. When you call, you reach a fake call centre that walks you through "cancelling the charge" — which actually involves giving them remote access to your computer or reading out your bank details.
The reconnaissance email: An attacker sends a simple, innocent-looking email to verify your email address is active and get you to respond. "Hi, are you the right person to speak to about your company's IT contracts?" Your reply confirms your address and gives them information to craft a more targeted follow-up.
The gift card scam: "I need you to buy some gift cards for a client meeting. Can you grab 5x £100 Amazon cards and send me the codes? I'll reimburse you." No links. No attachments. Just a text request from what appears to be your boss.
Email security tools are designed to detect malicious technical indicators. When the attack is purely social — just carefully worded text — there's nothing for the scanner to flag.
4. Zero-day phishing sites
Email providers maintain enormous databases of known malicious URLs. Google Safe Browsing alone contains millions of entries. When a link appears in an email, it's checked against these databases.
The problem: new phishing sites go live constantly, and they don't appear in threat databases until someone reports them and they're verified. That window between "site goes live" and "site gets blocked" is the zero-day gap.
Research from Bolster found that the average phishing site is active for less than 24 hours — but most security vendors take 6-12 hours to add new sites to their block lists. That leaves a window of several hours where the phishing site is live, active, and completely unblocked.
Attackers optimise for this window. Modern phishing kits are designed for rapid deployment:
Register a new domain (takes minutes)
Deploy a phishing page from a kit (takes minutes)
Send thousands of emails (takes minutes)
Harvest credentials for 6-12 hours before the domain gets flagged
Abandon the domain, move to the next one
Some attackers go further, using legitimate hosting platforms like Azure, AWS, or Cloudflare Pages. Security vendors are reluctant to blanket-block these platforms because millions of legitimate sites use them too. Phishing pages hosted on *.azurewebsites.net or *.pages.dev benefit from the platform's reputation.
Cloudflare reported processing approximately 13 billion emails and blocking around 250 million malicious messages between May 2022 and May 2023 — and phishing pages hosted on trusted platforms like *.pages.dev temporarily benefit from the platform's reputation before they're taken down.
5. Legitimate services weaponised as delivery mechanisms
This one's subtle and increasingly common. Attackers use legitimate services to deliver phishing content, making the emails essentially impossible for providers to block at the infrastructure level.
Examples:
Google Forms phishing: Attacker creates a Google Form that looks like a login page. The email comes from
[email protected]— a legitimate Google address. SPF, DKIM, DMARC all pass. The link goes todocs.google.com. Gmail literally cannot block this without blocking its own services.SharePoint/OneDrive phishing: Same concept, Microsoft edition. An attacker uploads a phishing page to SharePoint and shares it via email. The email is from Microsoft. The link is to Microsoft's domain. Outlook can't block it.
Calendar invite attacks: An attacker sends a Google Calendar invite with a phishing link in the event description. It's delivered through Google's own calendar infrastructure.
WeTransfer/Dropbox abuse: "Someone shared a file with you." The email is genuinely from WeTransfer or Dropbox. The file is malicious, but the delivery mechanism is completely legitimate.
Microsoft's Threat Intelligence team has documented campaigns where attackers exploit legitimate notification systems and complex email routing to send phishing emails that appear to come from trusted Microsoft infrastructure. Separately, Check Point documented over 5,000 fake Microsoft notification emails sent from legitimate-looking domains in 2024. These emails are hard to distinguish from real notifications because they abuse the same delivery mechanisms.
So does Gmail block phishing?
Yes — most of it. Gmail, Outlook, and Yahoo are remarkably good at catching bulk phishing, known scam domains, obvious spoofing, and malware attachments. If you're getting fewer scam emails than you did five years ago, that's why.
But the attacks described above are specifically designed to pass provider-level filtering. They exploit the fundamental limitations of what an email provider can detect: they use legitimate infrastructure, they pass authentication checks, they contain no technical indicators of malice, and they target you specifically rather than spraying millions of addresses.
Your email provider gives you a strong first line of defence. But it's a first line — and treating it as the only line is where people get caught.
What actually fills the gap?
The attacks above share a common thread: they're technically clean but contextually suspicious. Catching them requires understanding context:
- Is this request normal for this sender?
- Does this email match the communication patterns you usually see?
- Is the urgency appropriate for the situation?
- Does the content make sense given your relationship with the sender?
This is the gap between infrastructure-level security (what your provider does) and content-level security (what requires a deeper layer of analysis).
