• Home
  • /Learn
  • /Fake File Icons And Other Common Phishing Techniques
background image


Fake File Icons And Other Common Phishing Techniques


Gaining initial access is like winning the Jackpot to a cyber-attacker. Although gaining initial access doesn’t 100% guarantee that an attacker - or pentester - will achieve their ultimate goal, it is a required stage in the attack chain. Also, following the Cyber Kill Chain methodology to IT security, preventing any one stage of an attack will "break the Kill Chain" and thwart a successful cyber attack.

However, preventing initial access may be easier said than done. There are a vast number of tactics and techniques that attackers may use to gain initial access to their victims' systems such as exploiting public-facing vulnerabilities, using stolen credentials, and social engineering attacks such as phishing, spear-phishing, whaling, and vishing

Phishing alone lends itself to a vast spectrum of potential attack techniques that pit an attacker's wit directly against a potential victim's technical savvy. So, it's best to stay up-to-date on the latest attack trends and some of the classic tricks used to get an initial foothold. 

Let's examine some common techniques that attackers use to effectively gain access to a victim's computer in phishing and social engineering attacks and what you can do to stop them.

Common Phishing Techniques

Fake File Icons

Fake file icons are a powerful technique used in social engineering attacks. The most common fake icon trick is using a Microsoft Office icon to hide an executable (.exe) file. For example, an attacker might send a potential victim an email with a .exe - or ZIP compressed .exe file - attached. But, by configuring a fake icon for the .exe file, it can be disguised to appear as a Microsoft Word Document. When the victim clicks on the supposed document to open it, the executable file does not trigger Microsoft Office but rather executes on its own as a normal program. 

If well crafted, the malware will actually even download and open an actual Office document in the background to make it look like business as usual. From there, the malware will contact an attacker-controlled command and control (C2C) server and download additional tools to further the cyber-attack.

The best way to protect yourself against a fake file icon attack is to know your file extensions in and out and think critically about files from untrusted senders before you open them. You need to know that shortcut files (.lnk, .alias), archives (.zip, .rar, .7z), applications (.exe, .msi, .app), and disk images (.iso, .dmg) can all be configured with custom icons. If you are a manager, user awareness training will help your staff to spot these types of attacks and what to do when they suspect they are being targeted.

Microsoft Office VBA Macros

One of the most common dangers is enabling macros in Office documents. Macros are small pieces of code that automate repetitive tasks within an Office document. However, they can also be used to execute malicious code on a victim's computer, potentially compromising it and gaining initial access. It's critical to never enable macros in Office documents if they are received from an unknown or untrusted source.

Macros are intended to add advanced functionality to Office documents such as including web content and being able to interact with your system files, but the unintended implication is that macros can turn an Office document into a backdoor to compromise your computer. The best way to protect against macros is to disable macros within the Office application or globally in the Microsoft 365 Trust Center

Link manipulation is a common tactic used by attackers to make a link in a document or email appear to be for a destination other than the one it actually does. Link manipulation can happen when an attacker uses a technique such as a URL shortener to hide the actual destination of the link or makes the text of the link different from the embedded destination. The hope is that the target will simply click the link, visit the malicious destination, and enter their account username or password into a fake version of the intended site.


Setting the link to a different destination than the link text implies.


Hovering on the manipulated link shows its true destination.

The most fundamental way to protect yourself from link manipulation is to hover over links to see their true destination before clicking on them. The reality is that we don't always have time to do this, but it is especially important to vet links from untrusted senders that seem to direct us to a common well-known site, or one that asks us to log in. There are also browser extensions that can detect malicious links and notify you with a popup when you encounter one.


Preventing an attacker from gaining a foothold on your system is the ultimate goal that all IT security managers should have. Phishing and social engineering attacks represent an estimated 70% of initial access compromises. It's critical to understand the nuts and bolts of how hackers try to manipulate the tools at their disposal - documents, and links - to take advantage of their victims in order to better protect yourself and your company.

Some of the most common tricks are placing fake icons on a file to mask its true nature, embedding malicious macros into Office documents, and manipulating links that seem innocuous but lead to malicious destinations.  It's important to ensure this knowledge is spread throughout the organization and to continuously encourage user awareness to close the security gap and keep the bad guys out.

Sign up for our newsletter

Get the latest blog posts in your inbox biweekly!