AI-Powered Phishing Detection: The Next Generation Security Engine

Check Point is thrilled to introduce a continuously-trained AI-engine designed to analyze key information about websites, achieving remarkable results in detecting phishing attempts. Integrated with our ThreatCloud AI, it offers comprehensive protection across Quantum gateways, Harmony Email, Endpoint, and Harmony Mobile. 

The Threat

Phishing remains one of the most widespread and rapidly evolving cyber threats, with millions of new malicious domains appearing each year, and a steady rise in attacks against well-known brands. Attackers design phishing sites that closely replicate legitimate services—borrowing logos, layouts, and even login flows—to trick individuals into handing over their credentials.

Many phishing sites evade detection by deliberately avoiding the most obvious mistakes that make them easy to catch. For example, they often remove brand references from the HTML code that would reveal which company is being impersonated, and they take care to use valid SSL/TLS certificates rather than self-signed or mismatched ones. Attackers also minimize the use of obfuscated JavaScript, which security systems flag as suspicious, and they vary their templates to prevent detection through repeated patterns across multiple sites.

However, by analysing a comprehensive set of features from these sites, it becomes possible to distinguish between malicious and benign websites.

For example, consider the following site, which is a phishing site that is impersonating Netflix.

This site cannot be flagged using traditional methods, such as identifying the spoofed brand in the URL, page title or text elements, as the brand name does not explicitly appear on the site, except for the “N” logo within the background image. Additionally, most of the web features of the sites derive from the hosting domain, which is legitimate and well-recognized. However, by analyzing key indicators – such as broken links, a missing favicon, a web hosting domain and a signup form – a clear pattern emerges, confirming that the site is indeed a phishing attempt.

Verdict: malicious.

Attackers constantly adapt their methods, creating attacks that will yield countless variations in the indicators described above. As a result, relying on a fixed set of rules over these indicators is not enough to detect new attacks. To overcome this challenge, we trained a model designed to learn the patterns of both regular and phishing traffic. This allows the model to label a site as a new phishing attempt, even when each individual indicator looks harmless, and the specific indicator combination in the site has never appeared before.

Introducing Risk Model NG

Risk Model NG is trained on a vast dataset of both benign and phishing sites, leveraging Check Point’s unparalleled expertise and extensive data on malicious websites as a global leader in blocking cyber threats.

The model utilizes hundreds of features, based on DNS data, SSL Certificates, Whois data, link analysis and much more. These features have been meticulously curated by cyber analysts and derived through advanced, sometimes complex, calculations, to provide a comprehensive understanding of site behaviour and characteristics.

At its core, the model is powered by a highly efficient and robust algorithm well-suited for this type of analysis. This enables lightning-fast calculations, allowing Risk Model NG to block phishing sites in real time with exceptional accuracy. What sets our approach apart is the in-depth data science research that went into the development of the model, the scale of data we can draw on as a global security company, giving the model a far richer view of phishing patterns than smaller or more narrow solutions, and the fact that we continuously retrain the model on the latest traffic, ensuring it stays current and effective against emerging threats—something many industry-standard methods struggle to achieve.

The Training Pipeline

One of the key factors behind the power of this model is our automated training pipeline. It processes massive amounts of data, and outputs several model variations alongside feature distributions, enabling researchers to analyse how various features impact the model and fine-tune it for optimal performance.

The most exciting aspect of this pipeline is its ability to continuously train the model on fresh data. This not only keeps us ahead of emerging phishing techniques; it also allows us to fine-tune our detection capabilities to align with seasonal trends. From Black Friday phishing scams in November to vacation and booking-related scams during the summer, and many others, the pipeline ensures our engine remains sharp, adaptive, and up to date.

Results

The latest version of the model has achieved an impressive detection rate, successfully identifying phishing sites with remarkable accuracy. Additionally, the model has made many unique detections. The following examples of brand spoofing were recently flagged by the model, at a time when these sites had zero indicators on virus total.

Summary

ThreatCloud AI’s exposure to vast amounts of data, combined with our expertise in cyber security, enables us to develop real-time AI engines that prevent never before seen attacks.

As phishing attacks grow increasingly sophisticated, Check Point continues to develop real-time AI engines to prevent zero-day attack campaigns by leveraging our data and security research team. This synergy enables us to achieve exceptional detection capabilities and safeguard the entire web from evolving threats. The engine, as part of ThreatCloud AI, is seamlessly connected to all IT environments via Check Point’s Quantum, Harmony and CloudGuard product lines – covering network, endpoints, email mobile and cloud, ensuring comprehensive protection across organizational infrastructure. 

Check Point customers using Quantum and Harmony products with activated Threat Emulation are protected against the campaigns detailed in this report.

To learn about Check Point threat prevention, schedule a demo or a free security checkup to assess your security posture.