Tactics and Techniques Used

Spear Phishing

Malicious actor gathres info about their target to tailor the email and make it convincing

Uses OSINT sources

Can use typosquatting or sender spoofing to seem legitimate

Impersonation

Pretending to be somebody else (friend, colleague, authority figure)

Typosquatting

Impersonating a brand or domain by misspelling it

e.g. amazonn

Homoglyph

Difficult to spot

Characters that look virtually the same e.g. cyrillic and latin o

Sender Spoofing

Making the sending email address look the same as the legitimate (set by SMTP server)

How to detect sender spoofing

Perform IP lookup

Check reply-to address to see where it would be sent (and block it)

HTML styling

Phishing emails will replicate company html styling in emails to appear legit

Can look at the code behind it (decode if in base64) to look for phishing clues like credential harvesting

Three categories of malicious attachment

Non malicious files used for social engineering e.g. invoices

Non malicious files with malicious hyperlinks

Malicious files e.g. with scripts, macros

How to check a hyperlink’s safety

Hover over the link to see the real address

Open email in text editor and find url in anchor tags (on a VM or “dirty” system only

URL shortners

Services like bitly and short URL generate short versions that redirect to full URL

How to analyse shortened URLs for safety

Wannabrowser or URL2PNG to see the true page/info

File Hosting

Hosting malicious files on public believable services like google drive, one drive, dropbox (usually macros or links since those services have controls)

Business Email Compromise (BEC)

Attack on a business but focusing on those likely to transfer money or make purchases e.g. between vendors

Email compromise & vendor attack

Legit employee compromised, sends invoice emails to vendors

Email spoofing & alternative payment attack

employee account compromised, sends alternative payment method for future legit payments to vendors

Email spoofing & CEO fraud

Malicious actor poses as executive board member e.g. CEO, CFO, CTO

Contacts finance dept to transfer them money urgently

Email spoofing & data theft

Spoof an employee

Request to see information held about themselves

Spear phish using this info, or sell to hackers

Email compromise & zombie phishing

compromise email account

send malicious link to old email threads as it looks like its from the legit person

MD5

Message Digest 5

SHA

Secure Hash Algorithm

How to get file hashes using powershell

get-filehash (specify with -algorithm sha1 etc)

How to get file hashes with linux CLI

sha1sum <file> (or md5, sha256)

PhishTool

Forensic analysis console for phishing emails (and can retrieve artifacts too)

URL2PNG

Enter URL and it shows what the webpage looks like

URL2Scan

Shows a summary and screenshot of the URL

VirusTotal

Insert URL or file to check if vendors recognise it as malicious

Threat feeds

Provide security teams with phishing attacks and malicious artifact infoUR

URLhaus database

Collection of maliicous URLs by researchers

PhishTank

Malicious URL database by users