The Fake Rolex Problem — StrongestLayer Research
StrongestLayer · Research · FutureCon St. Louis 2026

The
Fake Rolex
Problem

How attackers weaponize trusted infrastructure to build threats only experts can spot.

The counterfeit watch

Real Swiss movement
Real sapphire crystal
Real steel bracelet
Fake crown. Fake seller.
Research Context

Why we built this company. And what we found instead.

The founding assumption

We built StrongestLayer on one belief: AI would break email security. We expected the weapon to be AI-generated personalization — hyper-targeted lures no signature system could catch. That's why we built a reasoning engine instead of another rule set.

We were wrong about the weapon. We were right about the problem.

The unexpected finding

5,000 alerts bypassed one of the top 3 SEGs. We asked why. Every alert was autonomously investigated with full semantic reasoning — read the way a human analyst would.

The answers were about structural evasion by design.

5,000
Alerts in the dataset
Live enterprise traffic · M365 + Google Workspace · 6-month window
100%
Bypassed at least one enterprise SEG
Real attacks that reached real inboxes — not a lab simulation.
100%
Autonomously investigated with full reasoning
Every alert analyzed end-to-end — not sampled, not triaged.
The Evasion Universe

22 techniques. 5 categories. 1,400+ combinations.

35.9%
Channel-Shifting
Moves the malicious action off the email entirely. The SEG is structurally irrelevant.
Phone Callback (TOAD) · QR Code · Voicemail Pivot · Teams/Zoom Pivot · SMS Pivot
~65%
URL Evasion
Controls what the URL resolves to at scan-time vs. click-time. Defeats reputation engines and sandboxes.
Legit Redirect · LOTS · Multi-hop Redirect · CAPTCHA Gate · URL Shortener · Encoded URL
~42%
Content Evasion
Makes the email body appear benign to keyword filters and NLP classifiers.
Notification Spoofing · PDF Attachment · HTML Smuggling · Image-Based Payload
~58%
Authentication Evasion
Exploits the gap between what authentication protocols verify and what humans trust.
Domain Lookalike · Subdomain Abuse · Compromised Account · SPF/DKIM Bypass
~78%
Social Engineering
Targets the human, not the technology. Uses identical vocabulary to legitimate business email.
Authority Impersonation · Financial Lure · Brand Impersonation · Urgency / Scarcity
56.8%
of attacks use 4+ techniques simultaneously
4.11
average techniques per detection
+130%
YoY increase in combination attacks
Attack Anatomy

Six defense layers. Modern attacks defeat all six.

01
~58%
Authentication Gateway
SPF, DKIM, DMARC. Verifies the sender is who they claim to be at the protocol level.
Defeated by: Domain Lookalike, Subdomain Abuse, Compromised Account, SPF/DKIM Bypass
02
~52%
Reputation Filtering
URL and domain reputation scoring against known-bad threat intelligence feeds.
Defeated by: Legit Redirect, LOTS, URL Shortener — all route through domains with perfect reputation scores
03
~40%
Content / URL Sandbox
Automated URL detonation, attachment analysis, and content scanning.
Defeated by: CAPTCHA Gate, Multi-hop Redirect, HTML Smuggling, Encoded URL
04
~42%
Content Policy / NLP
Keyword matching and intent analysis. Flags messages based on language patterns.
Defeated by: Notification Spoofing, Brand Impersonation — attack vocabulary is identical to legitimate business email
05
~78%
Human Judgment
The user decides: click, call, reply, or ignore. Last line of defense before compromise.
Defeated by: Authority Impersonation, Financial Lure, Urgency / Scarcity
06
35.9%
Channel Escape
Attack exits the email plane entirely. No security tooling monitors the destination channel.
Structurally irrelevant: Phone Callback, QR Code, Voicemail Pivot, Teams/Zoom, SMS
Technique Stacking

Each additional technique compounds bypass probability non-linearly.

56.8%
of attacks use 4+ techniques
4.11
avg techniques per attack
~99%
bypass probability at 8+ techniques
6.6%
single-technique attacks remain
% of All Attacks    Danger Zone
● Bypass Probability
15%
1 tech
30%
2 tech
55%
3 tech
68%
4 tech
80%
5 tech
88%
6 tech
95%
7 tech
~99%
8+ tech
Attackers aren't personalizing emails. They're personalizing kill chains. Every technique they stack makes the chain exponentially harder to catch with rules. The compounding is non-linear — each additional technique doesn't add risk, it multiplies it.
Kill Chain Examples

Attacks are engineered combinations — not single techniques.

M365DocuSign + TOAD Hybrid
Brand Impersonation Authority Impersonation Legitimate Redirect Phone Callback (TOAD)

Each node defeats a different detection layer. The attack crosses from email to phone. Your SEG has nothing left to scan.

4 techniques · crosses email→phone · Defeats Layers 1, 2, 3, 4+5

GWSQR + CAPTCHA + Redirect
QR Code CAPTCHA Gate Multi-hop Redirect Notification Spoofing

URL never appears in email body — automated scanners see nothing to detonate. CAPTCHA blocks sandboxes. Multi-hop defeats recursion.

4 techniques · defeats scanners + sandboxes · Defeats Layers 3, 4, 3+4, 2

BothPDF + HTML Smuggling
PDF Attachment HTML Smuggling Encoded URL Domain Lookalike

Malicious payload is assembled inside the browser — never exists as a file on the wire. Your security tools never see it.

4 techniques · payload assembled client-side · Defeats Layers URL scan, 4, 3, 1+5

Three Detection Lenses

Same attack. Three completely different verdicts.

Attack under analysis: DocuSign impersonation · Legitimate Redirect → CAPTCHA Gate → Credential Harvest · Authority Impersonation + Financial Lure · Targets M365 tenant
REGEX
CLEAN — Delivered. Zero alerts.
AuthSPF, DKIM, DMARC pass. Domain 7 days old.URLLands on docusign.com. No malicious indicator.ContentNo keywords flagged. Standard notification template.
ML
SUSPICIOUS — Flagged.
SenderNo prior history. First-contact from new domain.Redirectdocusign.com → 3 hops → CAPTCHA → unknown destination.PeersNo similar DocuSign requests to peers in 30 days.
REASONING
MALICIOUS — Blocked. Investigated.
Intent"Signature required or access revoked" — urgency + authority pattern.ImpersonationClaims CFO. No relationship exists. Pixel-perfect brand replica.CombinationAuth Imp. + Financial Lure + Redirect Chain = high-confidence phishing.
The parts are real. Only reasoning catches the counterfeit intent.
The Detection Gap

Your SEG is not failing. It's succeeding at the wrong problem.

35.9%
Structurally Invisible
Attacks that bypass detection because the threat surface has moved off the email entirely.
No signature, no URL, no attachment to scan. The email itself is clean. The attack happens elsewhere.
~44%
The False Positive Trap
Attacks flagged as suspicious but not blocked — generating low-confidence alerts that teams learn to ignore.
Alert fatigue is a designed outcome. Attackers know "suspicious" is functionally the same as "clean" in most SOCs.
~20%
Actually Blocked
The attacks your SEG was designed for — known-bad URLs, malicious attachments, blacklisted domains.
This is what your vendor's detection rate metric measures. It does not reflect the rest that gets through.

A fake Rolex built from real parts looks identical to the genuine article.
Only deep analysis reveals the counterfeit intent.

Real infrastructure. Authentic components. Counterfeit intent.

01

Get the research

Full dataset, methodology, and technique taxonomy.

strongestlayer.com/research →
02

Get our cheat sheet

The top evasion techniques and what to ask your vendor.

03

See the reasoning engine

Live demo — bring a suspicious email and we'll show you what semantic reasoning sees.

Alan LeFort
CEO, StrongestLayer
Dataset: ~5,000 detections · Dec 2025 – Feb 2026 · Enterprise M365 + Google Workspace tenants · © 2026 StrongestLayer
Footer Icon

Tomorrow's Threats. Stopped Today.

Newsletter
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Pages
HomeAbout usFeaturesPricingContact
Solutions
Law FirmManufacturingProfessional ServicesTechnology ServicesSMB's
Resources
Resource CenterTestimonialsEventsCareersBlogTerms of ServicePrivacy Policy
Email
support@strongestlayer.com
Social Media
Footer Social IconFooter Social IconFooter Social IconFooter Social Icon
© 2026 StrongestLayer. All rights reserved