Unlike malware and exploits, Phishing represent a much broader category of the threat landscape. They are not bound by a fixed set of rules and thus cannot be identified by a simple signature or static set of if-then-else sandbox rules. The end goal of a Phishing attack is to trick the target into clicking on something malicious or giving up his/her valuable information, often using plain HTML. There’s no exploit, no malicious Java Script, no executable – just natural language and graphical objects. An HTML-based attack.