How To Send A Test Phishing Email In 5 Steps (Using Actual Phishing Techniques)

Cyber criminals are constantly coming up with new and innovative techniques to deliver phishing emails that trick employees. Understanding what these techniques are, how you can spot them, and how you can replicate them is not something you'll easily find an answer for.

The reason for this is that attackers don't want security vendors to know their techniques, and security vendors don't want to publish these techniques, as it's typically considered proprietary information.

In this article, we'll look to shed some light on how phishing attacks are conducted and how you can replicate these techniques to deliver realistic test phishing emails.

What Is A Phishing Email?

Phishing emails are used to perform social engineering attacks where cyber criminals attempt to convince victims that they're from a legitimate sender. To do this, cyber criminals will commonly attempt to masquerade as seemingly legitimate services or individuals and abuse an implicit trust relationship that the victim has with that service or individual.

"Most phishing emails are not personalised or targeted to a specific individual or company–this is termed "bulk" phishing. More targeted forms of email phishing include spear phishing, whaling, CEO fraud and clone phishing" - Wikipedia

The end-goal of these attacks are to steal sensitive information, harvest account credentials or to directly steal funds through a business email compromise attack (e.g. gift card scams). Considering this, phishing emails need to utilise a variety of tactics and techniques to ensure their success. In the following sections we'll delve in these tactics and techniques.

1. Abusing Lookalike, Compromised Or Spoofable Domains

This component of a phishing email is all about the address a phishing email appears to come from. This is often the first thing a target sees and accordingly it's absolutely crucial that the target believes the address appears to come from a trustworthy sender. To do this, attackers have a number of techniques at their disposal:

1.1 Spoofing Email Display Names

Spoofing an emails 'From' display name is a feature that anyone can abuse. This feature is typically used for a range of legitimate purposes, such as identifying yourself by your name, title, the team you represent or company - however it's also commonly abused with malicious intent.

1.2 Purchasing Lookalike Phishing Domains

Purchasing domains that look like domains used by legitimate services, is a common technique used by cyber criminals. All an attacker needs is $12 to spend with a domain registrar, configure the domains SPF records and then they're free to use it for email phishing.

1.3 Spoofing Domains Through SPF-Bypass

Spoofing domains can occur in a number of different ways... In fact, we've documented six different spoofing techniques that attackers can abuse. One technique in-particular is frequently abused and allows attackers to bypass SPF authentication checks by misaligning an emails Mail Envelope SMTP Mail From and their Mail Body From Addresses. SPF checks are conducted against the Mail Envelope From but email clients display the Mail Body From. DMARC includes an alignment check to protect against this, but many organisations haven't adequately hardened their DMARC records to enforce this. For a demonstration of how this attack works, click here.

2. Gaining Access To High Reputation Email Infrastructure

This component of a phishing email is all about the actual delivery of an email from the sender to the recipient. Cyber criminals will often attempt to gain access to high reputation email infrastructure to increase the likelihood that their emails land in target inboxes. Typically, attackers will use one of three techniques to do this:

2.1 Abusing Freemium Email Marketing Services

Attackers will often abuse free or freemium email services such as Gmail, Campaign Monitor, SMTP2GO, etc. for the delivery of phishing emails. The providers of these services do closely monitor their respective platforms and will quickly ban any users who abuse it for malicious intent. For this purpose, attackers will only ever see short-term success or only be able to use these platforms for highly targeted non-bulk phishing campaigns.

2.2 Compromising Email Infrastructure Operated By Legitimate Businesses

If an attacker can compromise the email infrastructure of a business, they will often abuse it for the delivery of bulk spam, phishing and even use it for highly targeted spear phishing to target the businesses customers. The benefit to attackers is that businesses often maintain high reputation email infrastructure as they typically deliver legitimate emails. Because of this, email filtering technologies will place a higher level of trust on emails received from these servers and be less likely to flag them as malicious.

2.3 Purchasing Email Infrastructure From Unsuspecting Hosting Providers

Hosting providers such as Azure, GCP, DigitalOcean, etc. will typically restrict its customers from using their platform for the delivery of outbound emails. This restriction usually comes in the form of preventing servers from connecting outbound to other SMTP servers over port 25. With a bit of social engineering, this can typically be bypassed. While these cloud providers don't monitor abuse of their computing infrastructure as closely as freemium email service providers, if an external threat intelligence organisation flags your IP address as sending malicious material they will take immediate action to disable your account. For this reason, threat actors will only typically use this infrastructure for non-bulk targeted phishing.

3. Abusing Personally Identifiable Information To Create Targeted Phishing

With major data breaches making headlines on a near weekly basis (such as Optus and Medibank at the time of writing), it's becoming increasingly easier for cyber criminals to gain access to target information such as email addresses, first names, last names and employers. Attackers will leverage this information to either directly target an individual or find out more about them through social media and other open-source intelligence techniques. Equipped with this information, it can indicate to an attacker, what type of phishing material a target may be susceptible to (e.g. Cypto, Banking or Local Government themed phishing). To see how simple information such as first names and last names can drastically impact phish click rates, simply look at our Phishing Email Inbox Simulator.

4. Creating Phishing Emails That Masquerade As Popular Services

With the prevalence of the internet and how intertwined the average individual is with it, any given target may be using upwards of dozens or hundreds of internet-connected services. Services such as Online Banking, Social Media, Online Retail, Cloud Storage, Cloud Collaboration and much more... It's easy to see how a cyber criminal could easily guess a service a large number of targets are likely using. To do masquerade as legitimate services, all an attacker needs to do is either identify an open-source repository of phishing emails they can leverage or simply sign-up for free accounts within the given service provider and replicate an email such as those provided for forgotten passwords, account lockouts, etc. To take a look at what a phishing email library may look like, simply look at what CanIPhish provide.

5. Choosing A Phishing Payload

Cyber criminals are typically motivated by one of three things. They either want to steal sensitive information such as military or trade secrets, blackmail organisations through ransomware-style attacks or directly steal money through CEO-fraud and Business Email Compromise. To achieve these goals, attackers will typically use one of three payload methods:

5.1 Credential Harvesting

Typically comes in the form of a malicious link embedded within an email. When clicked, the target is led to a phishing website which masquerades as a trusted service and asks for login credentials. Once input, the cyber criminal can then assume the identity of the target and steal or blackmail information.

5.2 Endpoint Compromise

Typically comes in the form of an attachment embedded within an email. When down loaded and opened, the target then has their endpoint compromised and an attacker can instantaneously control the targets computer. From here, an attacker can perform a variety of actions such as stealing information, blackmailing information and even laterally moving onwards to any networks the endpoint may have access to.

5.3 Reply-To Attacks

Typically comes in the form of an email where the attacker is enticing the target to respond to the email directly. This type of payload is typically multi-staged and socially engineers an individual to trust the attackers identity... the attacker may be attempting to pretend they're an executive, customer or trusted partner and a payment needs to be made or bank account needs to be updated which results in money theft.

Wrapping up

Sending realistic phishing emails may sound like an easy activity but when you bundle together all the infrastructural components necessary to kick-off a phishing campaign, the technical difficulty adds up. It's for this reason that there are cyber criminals who specialise in phishing and offer phishing kits to the highest bidder. These phishing kits attempt to automate many of the components necessary to successfully conduct a phishing campaign, with attackers often only needing to supply their own email server, domain and target list to get started.

The team at CanIPhish looks to protect against phishing by training your last and most effective line of defence... your employees. To get started, all you need to do is sign-up for a free account and begin sending simulated phishing emails. If you'd like to check if your domain is vulnerable to domain spoofing, simply use CanIPhish's Domain Tools to identify this for you.

If you have any questions or need additional advice on how to detect phishing attacks, please feel free to reach out to me directly via Email, LinkedIn or the CanIPhish Contact us page.