Threats
T1566Phishing
Why phishing remains the top initial-access vector, what each variant looks like in practice, and how analysts detect and respond to credential harvesting campaigns.
View on Graph
What Phishing Is and Why It Is the Top Threat Vector
Phishing is a social engineering attack where an adversary sends deceptive communications — usually email — designed to trick the recipient into handing over credentials, opening a malicious attachment, or clicking a link that delivers malware. MITRE ATT&CK maps phishing to T1566 with three sub-techniques: T1566.001 (Spear-phishing Attachment), T1566.002 (Spear-phishing Link), and T1566.003 (Spear-phishing via Service).
The Verizon 2024 DBIR found phishing was present in 31% of all breaches and was the top action variety in social engineering incidents. It works because it exploits human psychology, not technology gaps.
Phishing Variants
Credential Harvesting
How it works: The attacker sends an email impersonating a trusted service (Microsoft 365, Google, Dropbox, DocuSign) with a link to a fake login page — a common cloud threat vector. When the victim enters credentials, they are captured by the attacker.
Key indicators:
- Email claims there’s an urgent problem with the recipient’s account
- Link URL does not match the legitimate service (e.g.,
microsoft-verify-login[.]comvs.login.microsoftonline.com) - Fake login page looks like the legitimate one but the URL is wrong
- The attacker often uses the captured credentials immediately — within minutes — often for credential stuffing against other services
Analyst triage:
- Check the email headers: validate SPF, DKIM, and DMARC. If DMARC fails (p=reject) or SPF fails, the sender is not authorized.
- Extract the URL and submit to URLScan.io — see the rendered page. A credential harvesting page will look like a genuine login page but the URL will not match the legitimate domain.
- Check the destination domain on crt.sh — was the SSL certificate issued recently? Credential harvesting domains usually have certificates issued within the last 30 days.
- Check the domain on DomainTools — how old is it? Phishing domains are typically registered < 30 days before use.
Malicious Attachment
How it works: The email contains a document (PDF, Word, Excel, OneNote) that, when opened, executes a macro, exploits a vulnerability, or contains an embedded script to download malware.
Common file types and risks:
- Word/Excel documents (.doc, .docx, .xls, .xlsx): Macro-enabled documents that run VBA scripts to download payloads (e.g.,
DownloadStringin PowerShell). Qakbot, Emotet, and IceID commonly used this vector. - PDF documents (.pdf): Contain embedded JavaScript, URLs, or exploit code. Recent vulnerabilities in PDF readers allow code execution on open.
- OneNote files (.one): Increasingly used in 2023-2024. Can contain embedded executables, scripts, or links that the user double-clicks.
- Compressed archives (.zip, .rar, .7z): Used to evade attachment scanning. Password-protected archives bypass content inspection entirely.
Analyst triage:
- Extract the attachment hash (SHA256) from the email gateway or SIEM.
- Submit the hash to VirusTotal — detection ratio and sandbox behavior reports.
- Submit the file to Any.Run or Hybrid Analysis — see what processes, network connections, and registry changes occur when opened.
- If the document contains a URL, extract and analyze it as above.
- Check the email headers for the sending infrastructure — compromised SMB mail servers are common for this variant.
Spear-Phishing Link
How it works: The email contains a link to a legitimate-looking website that delivers malware (drive-by download) or prompts a credential harvest. Unlike credential harvesting, the link may redirect through multiple hops.
Key indicators:
- URL shorteners (bit.ly, tinyurl) hiding the true destination
- Multiple redirects: link → redirect → redirect → malicious site
- The link leads to a legitimate site that has been compromised (watering hole)
- The link uses homoglyph characters (e.g.,
g00gle.cominstead ofgoogle.com)
Analyst triage:
- Expand shortened URLs using a URL expander or the
curl -Icommand to follow the redirect chain. - Submit the final URL to URLScan.io for screenshot and resource analysis.
- Check each domain in the redirect chain on DomainTools and crt.sh.
- Determine if any users clicked the link — check proxy logs for the URL or domain.
- If a user reported the email, check their browser history for the visited domain.
Detection Workflow — Phishing Triage
Step 1: Collect the Email
The user forwards the email or submits it via a report button. Extract:
- The original email (EML or MSG file) with full headers
- Any attachments — preserve in a sandbox environment
- The reported URL from the user’s forwarded email or screenshot
Step 2: Analyze the Email Headers
Headers are the most important evidence. Extract and analyze:
| Header Field | What It Reveals | Normal vs. Suspicious |
|---|---|---|
From: | Display name + email address | Display name may impersonate CEO, but the email address is wrong |
Reply-To: | Where replies go | Different from From: = redirecting replies to attacker |
Return-Path: | Bounce destination | Different from From: = likely spoofed |
Received: chain | Mail server path | Multiple hops through unknown servers = suspicious |
SPF: result | Sender Policy Framework | fail or softfail = sender not authorized for the domain |
DKIM: result | DomainKeys Identified Mail | fail = email was modified in transit |
DMARC: result | Domain-based Message Authentication | fail + domain has p=reject policy = confirmed spoof |
Message-ID: | Unique email identifier | Can be used to find the email in other recipients’ inboxes |
SPL query — check DMARC failures:
index=email
| search "dmarc=fail" OR "spf=fail" OR "dkim=fail"
| stats count by sender_address, from_address, subject
| sort - count
Step 3: Analyze URLs
Extract all URLs from the email body. For each URL:
- Expand any shortened URLs
- Submit to URLScan.io — screenshot, redirect chain, resources loaded
- Check domain registration date (DomainTools or WHOIS)
- Check if the domain appears in threat intelligence feeds
- Check crt.sh for SSL certificate issuance date
- Submit the URL to VirusTotal — URL scanner results
Step 4: Analyze Attachments
For each attachment:
- Extract SHA256 hash — submit to VirusTotal
- Submit to sandbox (Any.Run, Hybrid Analysis, Joe Sandbox)
- If a document with macros: extract the macro code for analysis
- If password-protected archive: mark as high priority — these bypass all automated inspection
- Check for recently generated files (creation date within 24 hours)
Step 5: Check User Impact
- Did the user enter credentials? Check for impossible travel, logins from new IPs, MFA approval requests.
- Did the user click the link? Check proxy logs for the destination domain. Check DNS logs for the resolved IP.
- Did the user open an attachment? Check EDR for process creation events —
winword.exespawning child processes. - Check for post-click activity: new scheduled tasks, PowerShell execution, outbound C2 connections from the user’s device.
Step 6: Determine Disposition
| Disposition | Criteria | Action |
|---|---|---|
| Confirmed malicious | Domain = malicious, DMARC fail, URL leads to credential harvesting, or attachment detected as malware | Block domain at proxy/DNS, block sender IP at email gateway, remove email from all recipient inboxes, notify affected users |
| Suspicious | Some indicators but not confirmed (e.g., newly registered domain, legitimate-appearing email, no detections yet) | Investigate further. Monitor user’s account for 24h. Add domain to watchlist. |
| Benign | All checks pass (DMARC pass, domain is legitimate, attachment is clean) | No action. Document as a user report of legitimate email (training opportunity). |
Phishing Response — What to Do When a User Clicks
If a user reports clicking a phishing link or opening a malicious attachment:
Immediate (within 5 minutes)
- Disable the user’s current session (revoke tokens, force re-authentication)
- Reset the user’s password
- Force MFA re-registration (attacker may have enrolled their own device)
- Isolate the user’s machine from the network (disconnect network cable or quarantine via EDR)
- Capture forensic data from the machine: running processes, network connections, recent file changes
- Check for credential theft: review Windows Event 4624 logins from the user’s machine to other systems
Within 1 hour
- Review email gateway logs for other recipients of the same email
- Remove the phishing email from all recipient inboxes (Exchange:
Search-Mailbox -DeleteContent) - Block the phishing domain at the proxy and DNS (sinkhole)
- Block the sender IP at the email gateway
- Check for lateral movement: RDP connections, SMB connections, PsExec/WMI usage from the affected host
- Search the SIEM for related events from the same threat actor (C2 IPs, file hashes, domains)
Within 24 hours
- Forensic analysis of the affected machine
- Review of all accounts the compromised user had access to (mailbox delegation, admin roles, file shares)
- Threat intelligence enrichment — submit artifacts to intel feeds
- Update email security rules (add sender domain to blocklist, tighten attachment filtering)
- User awareness coaching — what to look for next time
- Document the incident in the IR report
Within 1 week
- Post-mortem: why did the phishing bypass email gateway? Was it a new domain with no reputation?
- Update phishing detection rules
- Conduct tabletop exercise for similar scenarios
Phishing Simulation — Testing Your Users
Regular phishing simulations train users to recognize and report suspicious emails. The best programs use a progressive difficulty approach:
| Level | Email Type | Target User |
|---|---|---|
| 1 | Obvious scam (“Nigerian prince”) | All users — baseline training |
| 2 | Impersonated service (Microsoft 365 login) | All users |
| 3 | Targeted internal impersonation (CEO, IT) | All users — “whaling” |
| 4 | Context-aware (recent purchase, current event) | High-value targets (executives, finance, IT) |
| 5 | Multi-channel (email + SMS / phone follow-up) | High-value targets — vishing — a common insider threat vector |
Metrics to track:
- Click rate (should be below 5% after training)
- Report rate (should be increasing — users reporting suspicious emails)
- Time-to-report (should be decreasing)
- Repeat clickers (users who click simulation emails multiple times — may need 1:1 training)
Related
- Device Code Phishing — detection and response for T1566, T1528 techniques
- Phishing Triage — detection and response for T1566 techniques
- Kill Chain — covers the kill chain concepts
- OSI Model — covers the osi model concepts
- SPF and DKIM — detection and response for T1566 techniques
- Business Email Compromise Response — detection and response for T1566, T1114, T1098, T1586 techniques
- FBI Warns of Kali365 M365 Phishing Service — how fbi warns of kali365 phishing service targeting microsoft 365 accounts attacks work and how to detect them
- MFA Prompt Bombing Bypass — how mfa prompt bombing: why your second factor isn’t saving you attacks work and how to detect them
- ACR Stealer via Fake Claude Page — how possible acr stealer from page impersonating claude attacks work and how to detect them
- Ghostwriter Prometheus Phishing Campaign — how ghostwriter targets ukraine government entities with prometheus phishing malware attacks work and how to detect them
- 7-Eleven Data Breach — how 7-eleven data breach exposes personal information of 185,000 people attacks work and how to detect them
- Cross-Platform npm Stealer — how cross-platform npm stealer attacks work and how to detect them
- Italy Disrupts Piracy App Theft — how italy disrupts cinemagoal piracy app that stole streaming auth codes attacks work and how to detect them
