Hoppseoy® RETURN TO BASE
THREAT BRIEFING SOCIAL ENGINEERING

Anatomy of a Phishing Attack

Today's phishing campaigns are precision instruments — built on OSINT reconnaissance, weaponizing trust, and engineered to bypass both technical controls and human intuition.

Phase 1 — Reconnaissance

Before a single malicious message is sent, the attacker builds a detailed profile of the target using open-source intelligence. This phase is what separates sophisticated spearphishing from generic spam — and what makes it so effective.

The reconnaissance harvest typically includes:

  • Organizational structure and reporting relationships (LinkedIn, corporate website)
  • Names and roles of key personnel — HR, finance, IT, executives
  • Internal tools and platforms in use (job postings, employee reviews on Glassdoor)
  • Ongoing projects, recent acquisitions, or public announcements
  • Credential exposure from historical data breaches
  • Personal social media revealing relationships, travel patterns, and interests

By the time the attacker contacts the target, they often know more about the target's organization than many of the employees do. The lure they craft reflects this intelligence.

Phase 2 — Infrastructure Setup

A professional campaign does not reuse known-malicious infrastructure. Attackers invest in purpose-built infrastructure designed to survive long enough to achieve their objective.

STEP 01
Domain Registration: Typosquatted or lookalike domains are registered — often mimicking the target's own domain or a trusted vendor's domain. The presence of an SSL certificate means nothing; padlock ≠ safe.
STEP 02
Email Infrastructure: SPF, DKIM, and DMARC records are configured to maximize deliverability. Some campaigns compromise legitimate email accounts to send from trusted sources entirely.
STEP 03
Payload Hosting: Credential harvesting pages cloned from legitimate services, malicious document delivery sites, or OAuth consent abuse pages are staged and ready before the first lure is sent.

Phase 3 — The Hook

The lure is delivered. Using the intelligence gathered in Phase 1, the attacker crafts a message that references real people, real projects, and real context. The goal is to trigger action before the target has time to think critically.

The psychological triggers most commonly exploited:

  • Urgency: "Your account will be locked in 24 hours." Pressure collapses deliberation.
  • Authority: Impersonating an executive, IT, legal, or a known vendor activates compliance instincts.
  • Fear: Threat of consequence — legal, financial, reputational — bypasses rational evaluation.
  • Curiosity: A file labelled with something relevant to the target's actual work is opened without hesitation.
  • Reciprocity: Offering something useful (a report, a tool, a resource) in exchange for an action.

Defense — Technical + Human Layers

No single control stops a well-executed spearphishing campaign. Defense requires overlapping layers that assume each individual layer will eventually fail:

  • Email Filtering & DMARC: Implement strict DMARC policies on your own domains and use email security gateways that inspect links and attachments dynamically.
  • Lookalike Domain Monitoring: Proactively monitor for newly registered domains that impersonate your brand or your key vendors. Act before they're weaponized.
  • MFA — Phishing-Resistant: Hardware security keys (FIDO2) are the only 2FA method that resists real-time phishing proxies. TOTP codes and SMS are not.
  • Out-of-Band Verification: Any unusual request — wire transfers, credential resets, sensitive data access — should be verified via a separate, pre-established channel. Not reply-to. Not the number in the email.
  • Behavioral Training: Teach people to slow down on urgent requests, to question authority claims, and to verify — not just to spot bad grammar. Modern lures have no grammar errors.
ALL BRIEFINGS RETURN TO BASE