Attackers fingerprint victims through user-agent data to deliver OS-specific payloads, increasing compromise rates and campaign profitability.
July 1, 2026
Threat actors are moving away from spray-n-pray phishing attacks in favor of campaigns that can automatically adapt to a target's device and operating system.
Today, anti-phishing security vendor Cofense published research covering the cutting-edge ways threat actors are upping their phishing game. As research post author Max Gannon of Cofense Intelligence explained, classic phishing attacks often have clumsy, simple emails and an attachment with a simple infection chain that could bypass secure email gateways. Many modern campaigns now use emails targeted and tailored to the victim, with complex narratives relevant to the target (such as delivering an invoice for a business manager) and more complex infection chains.
More recently, Cofense has seen examples of phishing campaigns that are even more targeted once the victim clicks a link or an attachment. It is at that stage that the attachment or landing page collects information for the user-agent provided by the browser; user-agent data is a string of text data that Web browsers and applications send when a Web page is loaded. Through this data, the attacker can fingerprint and collect data including victim email addresses, browser information, device information, language, victim local time, screen and window size, and geolocation.








