TACTFlow - Part 0x3. Initial Access - Phishing

Featured image

Part #1: Phishing - The Art of Digital Deception

Introduction

Phishing is like a digital magic trick, except instead of pulling a rabbit out of a hat, attackers pull your credentials, bank details, and access to your entire network. And just like in magic, the trick works best when the target doesn’t realize what’s happening until it’s too late.

This post will break down phishing in a way that’s both educational and slightly entertaining, because let’s face it, nobody wants to read another dry cybersecurity article. So grab your coffee, and let’s dive into the cyber underworld of deception.


What is Phishing?

InitialAccess

Phishing is the art of digital trickery, a method attackers use to deceive people into giving up sensitive information like passwords, financial details, or access credentials. Unlike sophisticated zero-day exploits, phishing doesn’t rely on breaking into systems, it relies on breaking into minds.

A well-crafted phishing attack can make an employee click a link faster than accepting free Wi-Fi at an airport. Attackers use fake emails, websites, or messages to impersonate trusted sources, like your boss, your IT department, or even a government agency, just to get one wrong click that opens the door to chaos.

Real-World Example:

Imagine getting an email from your “CEO” saying:

Hey, 

Urgent request! I need you to approve this wire transfer of $50,000 immediately.
It’s for an important deal, and I can’t talk right now, just get it done.

Thanks!

Seems sketchy? It is. But plenty of people fall for it, costing businesses billions every year.


The Impact of Phishing on Businesses & Networks

If phishing were a minor inconvenience, we wouldn’t be talking about it. Instead, it’s one of the top cyber threats, responsible for some of the biggest breaches in history.

How Phishing Wreaks Havoc:

TL;DR – If you think phishing is just spam emails, think again! It’s a billion-dollar cybercrime industry, and no business is safe unless they actively defend against it.


Phishing Perspectives: CTI, Red Teaming, and SOC

InitialAccess

CTI (Cyber Threat Intelligence) Perspective

CTI specialists are like cyber detectives, analyzing phishing campaigns, tracking threat actors, and warning companies about new tactics. They monitor the dark web, phishing kits, and malicious domains to provide early warning signals.

Red Teaming Perspective

Red Teams simulate phishing attacks to test how well an organization can detect and respond to them. Their job is to be the bad guys (ethically, of course).

SOC (Security Operations Center) Perspective

SOC analysts are the frontline defenders, responsible for detecting and responding to phishing attacks. They analyze suspicious emails, investigate alerts, and fight phishing attempts in real-time.


Phishing & MITRE ATT&CK

MITRE ATT&CK categorizes phishing under Initial Access, because attackers use it as a gateway into networks.

Technique ID Sub-Technique Short Description Platforms
T1566 Phishing Delivering malicious content to a user Windows, macOS, Linux
T1566.001 Spearphishing Attachment Malware hidden in email attachments Windows, macOS, Linux
T1566.002 Spearphishing Link Malicious links leading to credential theft or malware Windows, macOS, Linux
T1566.003 Spearphishing via Service Phishing attacks using social media or cloud services Windows, macOS, Linux
T1566.004 Spearphishing Voice Using phone calls to manipulate victims N/A

Notable Phishing Attacks & Examples

Famous Real-World Phishing Attacks:

APT Groups & Phishing:


Final Thoughts: Why Phishing is Still a Top Threat

Phishing is so effective because it targets the human element, which, let’s be honest, is always the weakest link. You can have the best firewall and endpoint security, but if someone clicks the wrong link, it’s game over.

The Hard Truth:

This is just Part 1 of phishing attacks. Next, we’ll break down each phishing technique in-depth, showing exactly how Red Teams execute them and how SOC teams defend against them.


Part #2: Phishing - Breaking It Down, One Attack at a Time

So, we’ve covered the big picture of phishing, how it works, why it’s a massive threat, and how different teams approach it. But now, it’s time to get tactical.

In this part, we’ll dissect each phishing technique, one by one. From weaponized email attachments to malicious links and social engineering tricks, we’re diving deep into how attackers execute these tactics, how Red Teams simulate them, and how defenders can shut them down before they do any real damage.

Grab your coffee, if you haven’t already ! - because this is where we turn theory into action.

  1. Phishing - Spearphishing Attachment (T1566.001)
  2. Phishing - Spearphishing Link (T1566.002)
  3. Phishing - Spearphishing via Service (T1566.003)
  4. Phishing - Spearphishing Voice (T1566.004)

Part #3: Phishing - Bypassing AV & EDR

After covering the fundamentals of phishing and simulating attacks in the previous two sections with the Red Teaming part, this part serves as a bonus deep dive into bypassing Antivirus (AV) and Endpoint Detection & Response (EDR) solutions when executing various TTPs.

Defenders continuously improve their security stacks, but attackers evolve just as fast. The reality is that modern AV/EDR solutions use signature-based detection, behavioral analysis, heuristic scanning, and AI-driven anomaly detection, making simple payload execution nearly impossible, unless you know how to evade them.

In this section, we’ll break down AV/EDR evasion techniques and how attackers bypass macro-based phishing payloads, malicious scripts, and fileless execution to achieve initial access without detection

  1. Phishing - Spearphishing Attachment (T1566.001) & AV/EDR Bypass

Resources