Phishers are using remote images instead of embeedding them directly into emails to bypass email filters. Remote images are hosted on the web and need to be fetched before being analyzed. To delay the fetching, phishers are employing multiple redirections, cloaking techniques, and are hosting the images on high-reputation domains. The use of JavaScript is also common so that it is necessary for security vendors to use state of the art web crawlers that are more difficult to scale.
Source: https://www.helpnetsecurity.com/2021/01/15/phishers-bypass-email-filters/