Phishing for Initial Access

Download your free recording of our 30-minute Phishing for Initial Access presentation to hear directly from our Research and Development Lead.

With close to over 90% of data breaches in 2023 occurring as a result of phishing, there has never been a better time to familiarize yourself and your team with the ins and outs of phishing–namely phishing for initial access.

In our latest webinar, our Research and Development Lead, Ahmad Alsabagh, funnels his 5+ years of experience into an overview of what phishing for initial access is, commonly-abused vulnerabilities used in phishing attacks, advancements in phishing, and more.

Let’s jump right in. 

What is Phishing?

“As many of you may know, phishing is the most common initial access vector,” Ahmad explains. “It generally targets human psychology–meaning that technology can mitigate phishing-related attacks, but not completely stop them.”

Due to a 47.2% surge in phishing-related attacks that have targeted the likes of Dropbox, the United Parcel Service, and Blizzard Entertainment, phishing made up a staggering two-thirds of initial access breaches in the last year alone–and is showing no signs of slowing.

Phishing can be conducted via:

• Email

• Phone

• Text

• And social media

While the approaches to phishing are many, each often aims to steal or expose one or more of the following: financial information; employee information; and confidential organizational data. 

When it comes to combating successful phishing attempts, knowledge is power. Let’s break down why knowing the difference between phishing and spear phishing is the first step towards protecting your information online.

Spear Phishing vs. Phishing 

As a type of tailored phishing attack, spear phishing is an ultra-targeted attack on one or a select number of victims. While standard phishing targets a large sum of people, spear phishing scammers will utilize social engineering (the act of psychologically manipulating targets into divulging confidential information or taking certain actions) to breach the accounts of specific individuals within an organization.

As Ahmad illustrates: “In most instances of phishing, it’s a numbers game; hackers have the mindset of, ‘If I send out a thousand fraudulent emails, a minimum of one person will click it.’ Spear phishing, on the other hand, targets either a specific individual or a specified group of individuals: for example, if a company is changing their vendor, threat actors can craft a realistic spear phishing campaign to leverage that situation and prey on the employees involved.”

Examples of spear phishing include, but are not limited to:

• Threat actors pretending to be a boss or fellow employee requiring certain financial or organizational information (i.e passwords) 

• Threat actors spoofing texts or emails claiming that the target has “won” a prize

• Threat actors claiming to be a loved one who has locked themselves out of an email account or social media handle

Successful spear phishers typically use the target’s name or utilize other personal information to make their communications appear more authentic.

Phishing for Initial Access: the Data at Risk

There are numerous financial and reputational damages associated with being targeted by a successful phishing campaign.

However, what types of data are most at risk within your organization?

Ahmad breaks down the top three.

#1: Credential Theft (Traditional vs. Modern) 

“Generally speaking, a majority of hackers phish for credential data,” Ahmad says. “A traditional way of doing this would be to infiltrate an app like Office365: as MFA (Multi Factor Authentication) has become more widespread, this ‘traditional’ way of attempting credential theft is seeing a downturn. However, employee awareness training should still include this type of phishing for initial access.”

Why? Because, despite its frequency going down, its effectiveness remains: due to organizational politics, some employees may be exempt from having to authenticate their identity via MFA. This often includes key stakeholders, which are then leaving their credentials at high risk.

As advancements in phishing continue, the Packetlabs team more commonly sees AiTM (Attacker-in-the-Middle) attacks as a way to facilitate credential theft. It is defined as a type of phishing attack in which a threat actor positions themselves between two communicating parties in order to intercept, steal, and/or alter the data passing between them. In addition to impacting credentials, AiTM attacks can also encompass session tokens, JWT, stakeholder employee addresses, and user agents.

#2: Employee Data

Payload delivery is one of the most effective ways in which threat actors can use phishing to access personal employee data.

In cybersecurity, a payload is malware that a malicious hacker is delivering to the victim; the delivery of this payload can take many forms. At Packetlabs, we frequently witness successful MS Office payload deliveries, malware-infested ZIP files, and executables that can wreak havoc on an organization’s cybersecurity infrastructure.

Arguably the most threatening of these variations is zero-day payloads, which can leverage an exploit in Adobe to bypass an employee’s watchful eye. Filesec.io is a resource that your organization can use to quickly and efficiently scan incoming extensions, especially since payload delivery complexity is increasing as the years progress.

#3: Financial Information

Last but not least is, of course, financial information. Advanced phishing techniques can quickly expose both personal and organization-wide financial information, resulting in massive potential losses.

Advanced phishing frequently takes the shape of the following:

• Email spoofing (either via misconfiguration or exploitation)

• Website spoofing (either via open redirect, IP address blocking, or living off of trusted sites)

• Obfuscated JavaScript

• Vishing (voice phishing)

All members of an organization should be aware of advanced phishing threats while navigating day-to-day tasks, especially for workers who operate remotely or hybrid.

Common Organizational Mistakes with Phishing for Initial Access

At Packetlabs, the common organizational mistakes we see relating to phishing for initial access boils down to three:

• A lack of technical solutions: Technical solutions are your organization’s first line of defense against successful phishing attacks. Examples of technical solutions include having a secure email gateway, having up-to-date mobile device management, and investing in secure configuration 

• A lack of user awareness and training: Employee awareness training starts from the top. To be robust in 2023, an organization should incorporate learning the signs of a phishing email and the varying complexities of phishing simulations. Ideally, all teams should have a dedicated phishing support chat and guidelines for how to conduct yourselves online to minimize risk

• And/or a missing resource plan: Having a resource plan that monitors delivery mechanisms is crucial. This should encompass email, all commonly-used social media platforms, Microsoft Teams, and SMS

Luckily, all of these are resolvable. As a SOC 2 Type II CREST accredited cybersecurity firm specializing in penetration testing services, Packetlabs can work with your team to strengthen your security posture via a multitude of testing solutions. Our team is composed of highly skilled ethical hackers that provide a thorough blend of consultation and penetration testing.

Phishing for Initial Access FAQs

Do we need to include phishing in our pentest?

“No matter what solutions you may have used previously you should absolutely include phishing in your penetration testing,” Ahmad recommends. 

“Sometimes internal results can get skewed; an external phishing campaign validates those results. I would say get a phishing campaign done, evaluate how you can use that to improve your security posture, and then invest in a cybersecurity consultant who will run an in-depth external phishing campaign.”

How can my organization improve our two-factor authentication?

If an organization is using Office365, team members can adjust conditional access requirements to ensure that users can only authenticate from specific machines and/or specific locations. This makes capturing session tokens not as beneficial to threat actors.

Should my phishing campaign include social media?

Yes. Especially with organizations who have dedicated social media departments, employees frequently put themselves at risk by sharing personal or organizational information online, clicking on fraudulent links, or corresponding with fake accounts. “This can even extend to pictures,” Ahmad says. “You may think it’s just a picture of your office or your team, but threat actors can–and will–use background information to better target you and your business.”

To cover these bases, it is advised to include social media in external phishing campaigns.

Conclusion

Protecting your organization against phishing for initial access is more critical than ever before. Between advancements in malicious software, more and more employees working remotely or hybrid, and a multitude of confidential information being stored solely online, every organization’s finances and reputation rest on having a solid cybersecurity posture.

Couldn’t make our latest webinar? Sign up to our newsletter today to be the first to hear about our next one. Our ethical hacking team is always one click away.