Within this article, I would like to talk/write about phishing to bring up new ideas and perspectives to the good old phishing. Please note this article will not be that technical, so don´t expect a new tool or technique. But I want to answer the 25-Year-old question from Scooter: How much is the phish (worth)?

Phishing in general

What does phishing mean? Good question, a basic answer for this is that somebody sends spoofed messages or pages to lure the receiver to do something. This was very basic now let’s zoom in a little bit: Why are attackers sending phishing messages?

Additionally, let’s split this question into two areas - the why and the goal. First to the "why". From an attacker’s perspective phishing is ideal! You can send someone a message and your target will (ideally) interact with it and even better do what you wanted. All that without revealing your identity, disclose any sensitive information about yourself - you remain (mostly) anonymous. Even further, the defense against phishing mails (on a technical level) is quite limited. Sure, these can be blocked, but attackers switch to new domains, use trusted providers, new technics etc. to bypass those. In the end, the attackers use valid communication channels.

The second part of the question is a little bit more complex - the goals of attackers. I try to keep it simple, the primary areas are:

• Phishing for credentials - the receiver will be lured to a website where data needs to be submitted and the attacker can harvest the data. Usually, used to receive sensitive information like credentials, credit cards, etc.

• Phishing with a payload - the receiver should (download and) execute a payload. The famous iPhone.exe is attached to a mail. Usually, this should grant an attacker access to the system of the receiver.

• Phishing for Action - the receiver is lured with a call to action to provide the attacker with something (e.g. Money, Access etc.). Usually, the attacker impersonates a superior or even C-level to apply pressure - e.g. the classic CEO Fraud.

All those areas have their own attack paths and defense strategies.

Additionally, it is important to understand a phishing attack is always an attack chain. This means to a successful phish the message needs to bypass different defenses at the time to be successful. The chain is also different depending on the goal. For example, when an attacker wants credentials from a certain target the message needs to bypass the following defenses:

• the message needs to be delivered without being flagged

• the target needs to open/read the message

• the content needs to fit the expectation of the target

• the call-to-action sounds reasonable

• When the target executes the action (e.g. clicks a link) no technical defense mechanism blocks the action

• the website where the credentials need to be entered looks and behaves as the real website

• After the credentials are entered, the website responds correctly and the expected action/message is shown.

This entire chain must be traversed for an attacker to succeed. Additionally, each attack chain differs depending on the technique used, the communication channel, and the target. A general answer on how to defend against phishing is not available.

How to defend against the phisher?

First, establish one thing - phishing will always be successful.

Most people know that phishing exists and that it can be harmful so why it is still successful? The answer to this question has multiple answers.

The attackers are using regular communication channels (also important phishing is not limited to mails, e.g. Microsoft teams is also very popular - check out what my colleague did here) - this means somebody needs to differentiate between good and bad messages. On a technical level, this is possible until a certain degree but in the end, a human being needs to decide. In a company environment, the security team can provide users with indicators of what a bad message looks like, but this will not work every time. Users have other tasks besides checking links or attachments. Further, it depends, in which situation the user receives the message, if there is a stressful situation (e.g. on the way to an important meeting) or not in the regular work environment (e.g. Mobile apps). Everyone can fall for a good, crafted phishing message.

Additionally also think of other circumstances: How does the regular communication within your organization look like - Not the Christmas mail from the CEO - all other (partly automatic) messages a user receives every day? Are they designed with company branding? Is every link correctly displayed? Did the CFO not send a mail from the private mail account for the latest bank transfer? Are executables not sent by mail internally? Those perhaps phishy-looking messages which are good but don´t look good - This undermines the indicators that are taught to users.

In the end, awareness is very good and important but not enough and not the only part which should be in focus when it comes to the defense against phishing.

As an interim conclusion we can say if an attacker has the time and resources to craft a targeted attack, everybody will fail for it.

Also, note an attacker has multiple / nearly infinite trials. A defense strategy that relies on a user not clicking a link is set up to fail. Instead of just relying on the user a successful defence requires Defence in Depth.

Now let´s have a closer look at the different kinds of phishing.

Phishing for Action

With this technique, the target is tempted to execute some action for the attacker - normally to provide them with something (mostly money).

Goals and Execution

When the attacker wants to lure the target to perform a certain action within the power of the user. This could mean, they want the target to transfer money to a certain bank account, so the user should log in to the online banking platform and perform this action. On a technical level, those attacks are quite low-level, but this does not mean they should be underestimated. To be successful, advanced attackers apply recon and social engineering to craft the message and the context as realistically as possible and to apply pressure on the target. To ensure the correct amount of pressure is applied the attackers try to identify the superiors of the target or even try to impersonate C-Level personnel of the target company.

The result is a reasonably personalized message, enhanced with organizational knowledge (e.g. superiors) and crafted with social engineering to ensure that under pressure the required action is performed.

Defence Strategy

To mitigate such messages on a technical level the used communication channels need to be secured (e.g. for mail with SPF) to prevent the impersonation of users. Further, the signing or the encryption of messages applies some security on a technical level, if available and used by the organization. Next to that, the technical possibilities are limited - especially within Chats or other direct communication channels impersonation can be amazingly easy.

Therefore communication and awareness are important. Here is an (incomplete) list of things to consider:

• Are users receiving messages from superiors or C-Level personnel from their private channels? (Especially financial instructions)

• Are users aware of how to verify the correct origin of a message?

• Are users aware of how to present themself on social media (to prevent the exposure of sensitive information)

• What are the normal procedures for the requested actions (e.g. financial transactions) and is every user, superior, or C-Level aware of those procedures?

• Establishment of a verification channel in case of critical or very short-term actions with the superiors or C-Level personal

For this case a technical solution is available but does not cover all cases or possibilities therefore, it is much more important to ensure the proper communication paths and processes are established and known in all parts of the organization is key.

Phishing for credentials

As we already stated - the target will be lured to a website where data needs to be submitted and the attacker can harvest the data. Usually used to receive sensitive information like credentials, credit cards etc.

Goals and Execution

When an attacker is phishing for credentials - common public portals of cloud services (e.g. Office 365) or portals, from the targeted company (e.g. Citrix Portals), are copied and used with a different domain. Those should give the targeted user the confidence that everything ok and they can insert their company credentials. So what to do?

The easiest and most basic answer here is using multifactor authentication, and everything will be fine - so this answer was (and still is mostly) correct. Now in the year 2023 tools like Evilginx or NoPhish (shameless plug) are used to circumvent this security mechanism. This is done by extracting the session cookies of an authenticated user, which can be easily used by an attacker without the knowledge of the password or the multifactor.

Defence Strategy

For the defense against credential phishing, this means: multifactor authentication is not enough. To effectively tackle those attacks the defense team needs additional hardening of the login process. Mainly this means, analysis of the device and location from where a user logs in. Ideally, automatic mechanisms to block authentication requests (with or without multifactor authentication) if they are not coming from the correct device and location or time (e.g. Conditional Access). Additionally, some platforms use JavaScript, tokens, or other mechanisms to ensure the correct user logs on.

Next to the technical points also communication is key - especially if credentials were phished. Here is an (incomplete) list of things to consider:

• the defense team needs to be aware of which and how those credentials are used (e.g. are there other portals?)

• How the attacker interacted with the target?

• Are there other targets that could be identified, analyzed, or warned?

• Do the affected platforms support the required logging detail to detect the use of the phished credentials?

• Are the involved teams equipped with the correct procedures and criteria to differentiate between a true attack or a false-positive - Nothing is more frustrating than an existing exception for a real phishing mail.

• How fast the successful phishing attack was reported (by the user, help desk and/or security team) and how fast the reaction was applied?

• What is the first reaction of the security team? Is all the required information available?

As you can see, even when a technical solution is available that is not the end of it. In all infrastructures exclusions exist, false-positive rate led to limiting the automatic actions of systems and humans make errors in handling or implementing security measures. You need to ensure that all elements of your defense are working correctly and everybody knows how to handle those cases.

Phishing with malware

The attacker tries to lure the target to open and execute the famous iPhone.exe which is attached to a message. Usually, this should grant an attacker access to the system of the receiver.

Goals and Execution

When the goal of an attacker is to execute malware on the target, additional information about the target itself is essential. What does the target expect - an update, an invoice, or a job application? Under which circumstances will the target interact with an attachment or would execute commands? Also, the technical boundaries need to be considered - just sending an executable will not work, even office files with macros can be very tricky. Therefore an attacker needs to choose the correct payload and correct context for the phishing message.

I don´t want to go too deep into how payloads are crafted because this is highly individual and changing rapidly (or relies on 0-day exploits).

Defence Strategy

This also sets the requirements for the defense mechanisms. On a technical level, the user should not receive content that could be harmful (e.g. executables, scripts etc.) by default, which most modern firewalls or mailing solutions already block. Yet the defense must not stop here - even when a malicious payload goes through and the user executes it, the client security needs to block it and security personnel needs to start analyzing the incident. e the security and hardening level of the client is essential when handling phishing with malware.

As with credential phishing next to technical defense mechanisms also organizational ones are essential. Additionally, communication is key and again a (incomplete) list of things to consider:

• When a user executes malware: Is the target aware of whom to contact?

• Is the next contact aware of how to manage the request (correct priority etc.)?

• How fast can other targets be identified, analyzed, or warned?

• How fast does the security team react and what does the reaction look like?

• Is the security team limited in their reaction on a technical or organizational level (e.g. time differences)?

• Are all required logs (e.g. Antivirus, Client, EDR etc.) accessible and contain the relevant information?

• Spoiler: Was this whole procedure ever assessed?

You can see: From a technical point of view it is good to have the basics in place. From the organizational point of view, many clever questions without an answer remain. We can light up a little bit on how to proceed.

The click

I hope it is now clear a phishing message is simple but how to respond to it can be complex and should consider more than just installing an antivirus software and telling the user that clicking links is bad.

Further phishing is so popular because it works - and it works for everybody. If an attacker has enough time and resources the resulting targeted attack will have (mostly) success. This is proven by the many ransomware attacks or simulations like red teaming. With that in mind and the defense strategies outlined it should be clear that the defense against phishing attacks is more complex. When something is complex and dependent on an organized response, the whole process needs to be tested to ensure everything is done as expected and to identify weaknesses within the defense construct.

Now you may think - "Yeah sounds good let´s do a phishing test!" - and yes that is a very good idea but here we have a big "BUT". In a normal phishing test, the goal is to measure click rates - How many users clicked on the link? Or sometimes, how many users entered data? - but this is only the beginning of your defense strategy. Your goal should be to test the whole defense.

Based on your current understanding: You should measure and set up phishing tests with different goals and also consider shifting the focus.

I like click rates

Alright, in the past you conducted phishing tests and the results were click rates? If you are in this state you can still conduct those tests and preach awareness, but what if the click rates are not improving? Or you may wonder (after reading this article) if that is really the right approach. Then maybe shift your focus during the next phishing test a bit and follow up on the phishing messages:

• How many were reported to the IT team?

• How were they managed by the IT team?

• What were the procedures the IT applied?

• How fast any reaction was applied?

• Are the users aware of what to do with phishing mail?

This gives you a basic idea of the current state of your security procedures based around phishing - and areas to improve on. But maybe you already did this and what to go to the next level.

I don´t like click rates

Great so you don´t like click rates because they oversimplify a very complex topic? Good! How about an initial access simulation? Before we play buzzword bingo ... What is the goal? You have security procedures and teams in place and your users are aware of those and know (roughly) what to do. On a technical level, your client systems are hardened and public logins are monitored. Why not test it all? What will happen within an initial access simulation is that we try to phish your users and see if initial access could be gained (e.g. malware can be executed, logins spoofed etc.). The goals are defined together with you and what should be achieved - if the test should be more focused on malware or logins, if the targets are developers or customer support, etc.? This gives you the possibility to test your whole security chain against phishing attacks and how it performs under real circumstances:

• How performs your Antivirus?

• Are the logs correctly evaluated?

• What is the response of the security team?

• Are the tickets and cases created correctly and picked up in time?

• How are your public portals responding to logins from different locations?

This will give you some areas where you can improve your processes and used technologies. Additionally, it will increase your resilience against phishing so that you will be hungry for the next phish.

I like to eat phish

Awesome, your organization is hardened and ready to tackle every phish which comes along. The next step is to test this but now with a full-blown assessment - a red teaming. With a red teaming assessment a real targeted attack is simulated, this will test your whole organization over an extended period (like a real attacker would do) to find a way into your network. Further, the assessment will evaluate your internal infrastructure and see how far a real attacker would come and if they could achieve full control over your network. This is only an abstract of what a red team can do - usually, this is a highly individual process and discussed with the customer - but it is the "rubber-meets-the-road"-moment for every security process in an organization.

What else?

I hope this provided you with some new perspective on phishing and especially on phishing tests.

Oh, and the answer to the question "How much is the phish?" is "It depends on your defense, but it can be expensive".