Well, it finally happened. I posted my email address on my website, and within four days, it was picked up by web crawlers (spiders) and added to an email tracking list. This experience reinforced just how quickly email harvesting bots can collect and distribute publicly available addresses, inevitably leading to an influx of spam, phishing attempts, and other malicious emails.
One particularly interesting phishing attempt I encountered took an unconventional approach: it leveraged GitHub to distribute emails. This method was particularly effective because GitHub, as an already established domain, has built-in security measures like DKIM, SPF, and DMARC authentication. By using GitHub’s infrastructure, attackers were able to bypass traditional email security filters, making the phishing email appear legitimate and more likely to reach inboxes.
Fortunately, this was the only phishing email that managed to evade detection. The rest were successfully filtered out by a custom questionable URL policy I had configured in the Microsoft 365 Security panel. This policy effectively flagged and blocked emails containing suspicious links, preventing them from reaching my inbox.
Why This Matters: The Evolution of Phishing Techniques
Cybercriminals are constantly evolving their tactics, and this attack demonstrates an important shift:
- Abusing Trusted Domains – Instead of sending phishing emails from random, suspicious-looking domains, attackers are increasingly leveraging legitimate services (like GitHub) to distribute their messages. Since these services already have strong domain reputation and email security measures in place, phishing emails can slip through standard filters.
- Automated Email Harvesting – Posting an email address publicly can quickly lead to it being scraped, sold, and circulated among spammers and cybercriminals. This is a reminder that exposing your email online—even briefly—can make you a target.
- Importance of Custom Security Policies – Standard email filters catch a lot of threats, but they aren’t foolproof. Custom security policies, such as those available in Microsoft 365, can significantly reduce the risk of phishing emails reaching inboxes by filtering out emails with unknown or suspicious links.
How to Protect Yourself from Email Harvesting and Phishing
If you must share an email address online, consider the following best practices to minimize risk:
- Use Email Obfuscation Techniques – Instead of posting a plain-text email address, use contact forms, JavaScript-based obfuscation, or replace “@” with “[at]” to make it harder for bots to scrape.
- Enable Advanced Email Security Policies – Use tools like Microsoft 365 Defender to set up URL filtering, anti-phishing policies, and AI-based threat detection.
- Monitor Unusual Login Attempts – If attackers have your email, they may attempt credential stuffing or phishing-based attacks. Enable MFA (Multi-Factor Authentication) and regularly check for unauthorized sign-in attempts.
- Use a Separate Email for Public Inquiries – Consider using a burner email or a separate business email for website inquiries rather than exposing your primary email.
- Report and Block Phishing Attempts – If you encounter phishing emails using trusted domains, report them to the service provider (e.g., GitHub, Microsoft) so they can take action against the abuse.
Conclusion
This experience was a reminder of how quickly email addresses can be exploited once they become public. More importantly, it highlighted how attackers are adapting their methods by leveraging trusted domains to bypass security protections. While advanced filtering and email security policies are effective in mitigating threats, the best approach is to limit exposure and stay proactive in monitoring for attacks.
Cyber threats are always evolving, and email security should never be an afterthought. If you rely on email for business or personal communications, take the extra steps to protect it—before it becomes a target.