Threats

T1566

Phishing

Why phishing remains the top initial-access vector, what each variant looks like in practice, and how analysts detect and respond to credential harvesting campaigns.

View on Graph

What Phishing Is and Why It Is the Top Threat Vector

Phishing is a social engineering attack where an adversary sends deceptive communications — usually email — designed to trick the recipient into handing over credentials, opening a malicious attachment, or clicking a link that delivers malware. MITRE ATT&CK maps phishing to T1566 with three sub-techniques: T1566.001 (Spear-phishing Attachment), T1566.002 (Spear-phishing Link), and T1566.003 (Spear-phishing via Service).

The Verizon 2024 DBIR found phishing was present in 31% of all breaches and was the top action variety in social engineering incidents. It works because it exploits human psychology, not technology gaps.


Phishing Variants

Credential Harvesting

How it works: The attacker sends an email impersonating a trusted service (Microsoft 365, Google, Dropbox, DocuSign) with a link to a fake login page — a common cloud threat vector. When the victim enters credentials, they are captured by the attacker.

Key indicators:

  • Email claims there’s an urgent problem with the recipient’s account
  • Link URL does not match the legitimate service (e.g., microsoft-verify-login[.]com vs. login.microsoftonline.com)
  • Fake login page looks like the legitimate one but the URL is wrong
  • The attacker often uses the captured credentials immediately — within minutes — often for credential stuffing against other services

Analyst triage:

  • Check the email headers: validate SPF, DKIM, and DMARC. If DMARC fails (p=reject) or SPF fails, the sender is not authorized.
  • Extract the URL and submit to URLScan.io — see the rendered page. A credential harvesting page will look like a genuine login page but the URL will not match the legitimate domain.
  • Check the destination domain on crt.sh — was the SSL certificate issued recently? Credential harvesting domains usually have certificates issued within the last 30 days.
  • Check the domain on DomainTools — how old is it? Phishing domains are typically registered < 30 days before use.

Malicious Attachment

How it works: The email contains a document (PDF, Word, Excel, OneNote) that, when opened, executes a macro, exploits a vulnerability, or contains an embedded script to download malware.

Common file types and risks:

  • Word/Excel documents (.doc, .docx, .xls, .xlsx): Macro-enabled documents that run VBA scripts to download payloads (e.g., DownloadString in PowerShell). Qakbot, Emotet, and IceID commonly used this vector.
  • PDF documents (.pdf): Contain embedded JavaScript, URLs, or exploit code. Recent vulnerabilities in PDF readers allow code execution on open.
  • OneNote files (.one): Increasingly used in 2023-2024. Can contain embedded executables, scripts, or links that the user double-clicks.
  • Compressed archives (.zip, .rar, .7z): Used to evade attachment scanning. Password-protected archives bypass content inspection entirely.

Analyst triage:

  • Extract the attachment hash (SHA256) from the email gateway or SIEM.
  • Submit the hash to VirusTotal — detection ratio and sandbox behavior reports.
  • Submit the file to Any.Run or Hybrid Analysis — see what processes, network connections, and registry changes occur when opened.
  • If the document contains a URL, extract and analyze it as above.
  • Check the email headers for the sending infrastructure — compromised SMB mail servers are common for this variant.

How it works: The email contains a link to a legitimate-looking website that delivers malware (drive-by download) or prompts a credential harvest. Unlike credential harvesting, the link may redirect through multiple hops.

Key indicators:

  • URL shorteners (bit.ly, tinyurl) hiding the true destination
  • Multiple redirects: link → redirect → redirect → malicious site
  • The link leads to a legitimate site that has been compromised (watering hole)
  • The link uses homoglyph characters (e.g., g00gle.com instead of google.com)

Analyst triage:

  • Expand shortened URLs using a URL expander or the curl -I command to follow the redirect chain.
  • Submit the final URL to URLScan.io for screenshot and resource analysis.
  • Check each domain in the redirect chain on DomainTools and crt.sh.
  • Determine if any users clicked the link — check proxy logs for the URL or domain.
  • If a user reported the email, check their browser history for the visited domain.

Detection Workflow — Phishing Triage

Step 1: Collect the Email

The user forwards the email or submits it via a report button. Extract:

  • The original email (EML or MSG file) with full headers
  • Any attachments — preserve in a sandbox environment
  • The reported URL from the user’s forwarded email or screenshot

Step 2: Analyze the Email Headers

Headers are the most important evidence. Extract and analyze:

Header FieldWhat It RevealsNormal vs. Suspicious
From:Display name + email addressDisplay name may impersonate CEO, but the email address is wrong
Reply-To:Where replies goDifferent from From: = redirecting replies to attacker
Return-Path:Bounce destinationDifferent from From: = likely spoofed
Received: chainMail server pathMultiple hops through unknown servers = suspicious
SPF: resultSender Policy Frameworkfail or softfail = sender not authorized for the domain
DKIM: resultDomainKeys Identified Mailfail = email was modified in transit
DMARC: resultDomain-based Message Authenticationfail + domain has p=reject policy = confirmed spoof
Message-ID:Unique email identifierCan be used to find the email in other recipients’ inboxes

SPL query — check DMARC failures:

index=email
| search "dmarc=fail" OR "spf=fail" OR "dkim=fail"
| stats count by sender_address, from_address, subject
| sort - count

Step 3: Analyze URLs

Extract all URLs from the email body. For each URL:

  1. Expand any shortened URLs
  2. Submit to URLScan.io — screenshot, redirect chain, resources loaded
  3. Check domain registration date (DomainTools or WHOIS)
  4. Check if the domain appears in threat intelligence feeds
  5. Check crt.sh for SSL certificate issuance date
  6. Submit the URL to VirusTotal — URL scanner results

Step 4: Analyze Attachments

For each attachment:

  1. Extract SHA256 hash — submit to VirusTotal
  2. Submit to sandbox (Any.Run, Hybrid Analysis, Joe Sandbox)
  3. If a document with macros: extract the macro code for analysis
  4. If password-protected archive: mark as high priority — these bypass all automated inspection
  5. Check for recently generated files (creation date within 24 hours)

Step 5: Check User Impact

  1. Did the user enter credentials? Check for impossible travel, logins from new IPs, MFA approval requests.
  2. Did the user click the link? Check proxy logs for the destination domain. Check DNS logs for the resolved IP.
  3. Did the user open an attachment? Check EDR for process creation events — winword.exe spawning child processes.
  4. Check for post-click activity: new scheduled tasks, PowerShell execution, outbound C2 connections from the user’s device.

Step 6: Determine Disposition

DispositionCriteriaAction
Confirmed maliciousDomain = malicious, DMARC fail, URL leads to credential harvesting, or attachment detected as malwareBlock domain at proxy/DNS, block sender IP at email gateway, remove email from all recipient inboxes, notify affected users
SuspiciousSome indicators but not confirmed (e.g., newly registered domain, legitimate-appearing email, no detections yet)Investigate further. Monitor user’s account for 24h. Add domain to watchlist.
BenignAll checks pass (DMARC pass, domain is legitimate, attachment is clean)No action. Document as a user report of legitimate email (training opportunity).

Phishing Response — What to Do When a User Clicks

If a user reports clicking a phishing link or opening a malicious attachment:

Immediate (within 5 minutes)

  • Disable the user’s current session (revoke tokens, force re-authentication)
  • Reset the user’s password
  • Force MFA re-registration (attacker may have enrolled their own device)
  • Isolate the user’s machine from the network (disconnect network cable or quarantine via EDR)
  • Capture forensic data from the machine: running processes, network connections, recent file changes
  • Check for credential theft: review Windows Event 4624 logins from the user’s machine to other systems

Within 1 hour

  • Review email gateway logs for other recipients of the same email
  • Remove the phishing email from all recipient inboxes (Exchange: Search-Mailbox -DeleteContent)
  • Block the phishing domain at the proxy and DNS (sinkhole)
  • Block the sender IP at the email gateway
  • Check for lateral movement: RDP connections, SMB connections, PsExec/WMI usage from the affected host
  • Search the SIEM for related events from the same threat actor (C2 IPs, file hashes, domains)

Within 24 hours

  • Forensic analysis of the affected machine
  • Review of all accounts the compromised user had access to (mailbox delegation, admin roles, file shares)
  • Threat intelligence enrichment — submit artifacts to intel feeds
  • Update email security rules (add sender domain to blocklist, tighten attachment filtering)
  • User awareness coaching — what to look for next time
  • Document the incident in the IR report

Within 1 week

  • Post-mortem: why did the phishing bypass email gateway? Was it a new domain with no reputation?
  • Update phishing detection rules
  • Conduct tabletop exercise for similar scenarios

Phishing Simulation — Testing Your Users

Regular phishing simulations train users to recognize and report suspicious emails. The best programs use a progressive difficulty approach:

LevelEmail TypeTarget User
1Obvious scam (“Nigerian prince”)All users — baseline training
2Impersonated service (Microsoft 365 login)All users
3Targeted internal impersonation (CEO, IT)All users — “whaling”
4Context-aware (recent purchase, current event)High-value targets (executives, finance, IT)
5Multi-channel (email + SMS / phone follow-up)High-value targets — vishing — a common insider threat vector

Metrics to track:

  • Click rate (should be below 5% after training)
  • Report rate (should be increasing — users reporting suspicious emails)
  • Time-to-report (should be decreasing)
  • Repeat clickers (users who click simulation emails multiple times — may need 1:1 training)

Sources