TACTFlow - Part 0x3. Initial Access - Phishing

Phishing - The Art of Digital Deception

Posted Mar 4, 2025 Updated Mar 22, 2025

By Wael GHNIMI (0xW43L)

6 min read

TACTFlow - Part 0x3. Initial Access - Phishing

Part #1: Phishing - The Art of Digital Deception

Introduction

Phishing is like a digital magic trick, except instead of pulling a rabbit out of a hat, attackers pull your credentials, bank details, and access to your entire network. And just like in magic, the trick works best when the target doesn’t realize what’s happening until it’s too late.

This post will break down phishing in a way that’s both educational and slightly entertaining, because let’s face it, nobody wants to read another dry cybersecurity article. So grab your coffee, and let’s dive into the cyber underworld of deception.

What is Phishing?

Phishing is the art of digital trickery, a method attackers use to deceive people into giving up sensitive information like passwords, financial details, or access credentials. Unlike sophisticated zero-day exploits, phishing doesn’t rely on breaking into systems, it relies on breaking into minds.

A well-crafted phishing attack can make an employee click a link faster than accepting free Wi-Fi at an airport. Attackers use fake emails, websites, or messages to impersonate trusted sources, like your boss, your IT department, or even a government agency, just to get one wrong click that opens the door to chaos.

Real-World Example:

Imagine getting an email from your “CEO” saying:

Hey, 

Urgent request! I need you to approve this wire transfer of $50,000 immediately.
It’s for an important deal, and I can’t talk right now, just get it done.

Thanks!

Seems sketchy? It is. But plenty of people fall for it, costing businesses billions every year.

The Impact of Phishing on Businesses & Networks

If phishing were a minor inconvenience, we wouldn’t be talking about it. Instead, it’s one of the top cyber threats, responsible for some of the biggest breaches in history.

How Phishing Wreaks Havoc:

Data Breaches – Stolen credentials = attackers inside your systems.
Financial Loss – Business Email Compromise (BEC) scams have robbed companies of over $50 billion globally.
Ransomware Infections – One click, and suddenly your files are held hostage for Bitcoin ransom.
Reputation Damage – Imagine explaining to customers that their data got stolen because someone clicked “Enable Macros.”
Operational Disruption – If phishing leads to ransomware, entire companies can be shut down for days.

TL;DR – If you think phishing is just spam emails, think again! It’s a billion-dollar cybercrime industry, and no business is safe unless they actively defend against it.

Phishing Perspectives: CTI, Red Teaming, and SOC

CTI (Cyber Threat Intelligence) Perspective

CTI specialists are like cyber detectives, analyzing phishing campaigns, tracking threat actors, and warning companies about new tactics. They monitor the dark web, phishing kits, and malicious domains to provide early warning signals.

What they do: “Hey, attackers are now using AI-generated phishing emails that look ridiculously real. Watch out!”
Main goal: Gather intelligence so that Red Teams and SOC teams stay one step ahead.

Red Teaming Perspective

Red Teams simulate phishing attacks to test how well an organization can detect and respond to them. Their job is to be the bad guys (ethically, of course).

What they do: “Let’s see how many employees fall for our fake Microsoft login page.”
Main goal: Identify weak points before real attackers do.

SOC (Security Operations Center) Perspective

SOC analysts are the frontline defenders, responsible for detecting and responding to phishing attacks. They analyze suspicious emails, investigate alerts, and fight phishing attempts in real-time.

What they do: “Another phishing alert? Time to check the logs and trace this attack!”
Main goal: Detect and mitigate phishing before it causes damage.

Phishing & MITRE ATT&CK

MITRE ATT&CK categorizes phishing under Initial Access, because attackers use it as a gateway into networks.

Technique ID	Sub-Technique	Short Description	Platforms
T1566	Phishing	Delivering malicious content to a user	Windows, macOS, Linux
T1566.001	Spearphishing Attachment	Malware hidden in email attachments	Windows, macOS, Linux
T1566.002	Spearphishing Link	Malicious links leading to credential theft or malware	Windows, macOS, Linux
T1566.003	Spearphishing via Service	Phishing attacks using social media or cloud services	Windows, macOS, Linux
T1566.004	Spearphishing Voice	Using phone calls to manipulate victims	N/A

Notable Phishing Attacks & Examples

Famous Real-World Phishing Attacks:

Google & Facebook Scam (2013-2015) – Attackers impersonated a hardware vendor and tricked these tech giants into sending them $100 million in payments.
Sony Pictures Hack (2014) – Phishing emails led to the leak of confidential emails, movie scripts, and internal documents.
DNC Hack (2016) – A simple phishing email compromised the Democratic National Committee’s internal systems.
Colonial Pipeline Attack (2021) – One compromised password (likely from phishing) led to a ransomware attack shutting down the largest fuel pipeline in the U.S.

APT Groups & Phishing:

APT29 (Cozy Bear) – Used spearphishing in attacks on government agencies.
FIN7 – Targeted financial organizations with malicious emails and fake invoices.
Lazarus Group – Used phishing campaigns to steal millions in cryptocurrency.

Final Thoughts: Why Phishing is Still a Top Threat

Phishing is so effective because it targets the human element, which, let’s be honest, is always the weakest link. You can have the best firewall and endpoint security, but if someone clicks the wrong link, it’s game over.

The Hard Truth:

Phishing is cheap and scalable for attackers.
Security awareness isn’t enough, organizations need technical controls like email filtering, MFA, and anti-phishing tools.
Attackers keep evolving. Yesterday, it was “You won a free iPhone” emails. Today, it’s deepfake voice phishing pretending to be your CEO.

This is just Part 1 of phishing attacks. Next, we’ll break down each phishing technique in-depth, showing exactly how Red Teams execute them and how SOC teams defend against them.

Part #2: Phishing - Breaking It Down, One Attack at a Time

So, we’ve covered the big picture of phishing, how it works, why it’s a massive threat, and how different teams approach it. But now, it’s time to get tactical.

In this part, we’ll dissect each phishing technique, one by one. From weaponized email attachments to malicious links and social engineering tricks, we’re diving deep into how attackers execute these tactics, how Red Teams simulate them, and how defenders can shut them down before they do any real damage.

Grab your coffee, if you haven’t already ! - because this is where we turn theory into action.

Phishing - Spearphishing Attachment (T1566.001)
Phishing - Spearphishing Link (T1566.002)
Phishing - Spearphishing via Service (T1566.003)
Phishing - Spearphishing Voice (T1566.004)

Part #3: Phishing - Bypassing AV & EDR

After covering the fundamentals of phishing and simulating attacks in the previous two sections with the Red Teaming part, this part serves as a bonus deep dive into bypassing Antivirus (AV) and Endpoint Detection & Response (EDR) solutions when executing various TTPs.

Defenders continuously improve their security stacks, but attackers evolve just as fast. The reality is that modern AV/EDR solutions use signature-based detection, behavioral analysis, heuristic scanning, and AI-driven anomaly detection, making simple payload execution nearly impossible, unless you know how to evade them.

In this section, we’ll break down AV/EDR evasion techniques and how attackers bypass macro-based phishing payloads, malicious scripts, and fileless execution to achieve initial access without detection

Phishing - Spearphishing Attachment (T1566.001) & AV/EDR Bypass

Resources

Purple Teaming

This post is licensed under CC BY 4.0 by the author.