How Can We Turn a Hacker’s Toolkit Against Them? The Evolution of a Phishing Email

By Jack Chapman, VP of Threat Intelligence, Egress

Hackers use many tools at each stage of an attack and with the sophistication of attacks escalating rapidly, it’s vital we understand what they have in their arsenal. These tools are often readily available online, both free of charge and to buy, and are easy to use for even non-technical cybercriminals.

Understanding a hacker’s tools and tactics is essential for cyber security practitioners and vendors aiming to build effective defenses and stay one step ahead of a quickly evolving host of cyber threats. For example, while attackers can change the content, graphics, and payloads of a phishing email, the right technology can detect the tell-tale signs in its underlying structure, its context, and delivery mechanism. Email is a high risk threat vector and with 91% of organizations reporting they had security incidents from outbound email and 92% falling victim to phishing, according to the Egress Email Security Risk Report, care is required when using it. At Egress we analyze thousands of phishing emails and investigate ways to reverse engineer repeatable elements against hackers.

In this article, I walk through the various tools that support the first three stages of the cyber kill chain: reconnaissance, weaponization, and delivery. Most importantly, this article will cover ways to defend against these tactics, including best practices on security awareness training, impersonation protection policies, and keeping applications as secure as possible.

What’s in an attacker’s toolkit?

Different tools are used at each stage of the cyber kill chain. Ultimately, if an attack can be detected and prevented at delivery (a phishing email), it will be killed earlier within the kill chain to help keep employees safe.

And by understanding the intricacies of these stages, you too can start to think like a hacker, prepare for the tactics they use, and implement stronger defenses.

Reconnaissance: Locate the target

This is the first stage of the kill chain, where a bad actor sets out their objectives, finds a target and researches them. There are a variety of tools that make it easier for bad actors to search for targets within your organization and assess their likelihood of falling for an attack. These range from Google, marketing contact databases, and social media sites, to email trackers that can show whether a recipient has interacted with an email.

Our 2021 Insider Data Breach survey revealed that 94% of organizations experienced a data breach in the last 12 months. Furthermore, these breaches can leave a company’s data exposed, increasing the risk of phishing threats. In short, it’s time to batten down the hatches.

A bad actor can use a variety of free and paid-for tools to assess a company’s email security system and its defenses. This enables them to understand any existing vulnerabilities that can be exploited and try to craft their attacks to evade detection. This is aided by the phenomenon aptly titled phishing-as-a-service, a growing trend of cybercriminals diversifying and selling their software and/or expertise to lesser-skilled prospective hackers.

Weaponization: Crafting the phish

After reconnaissance, the next step is crafting the phishing email – which can contain a malicious payload, or it can rely on social engineering without any payload.

Phishing kits can be used to create spoofed websites to steal a target’s credentials, steal multi-factor authentication (MFA) tokens, and evade detection from security technology.

The more expensive kits will include tactics to evade detection by cybersecurity technologies, including:

• HTML obfuscation techniques using encryption, encoding, and whitespace
• IP address blocklists to identify and block connections from security vendors attempting to scan the webpage for signs of a threat
• User agent blocking (again to identify and block connections from known security crawlers)
• Use of compromised or legitimate sites for hosting

We often see these attacks spike around key dates, with attackers weaponizing the news cycle. For example, ahead of US Tax Day this year, our threat analysts saw a 164% increase in tax-related phishing emails since February 2023 and a 32% increase versus 2022 levels. Typically, in these attacks, cybercriminals attempt to convince victims that they have a tax refund available or have underpaid their taxes, when in reality, the email contains a malicious link or attachment.

Delivery: The trojan horse

Once a target has been found and an email has been weaponized, the next function of the toolkit is to help an attacker evade both email security and the scrutiny of the human recipient once it’s delivered.

Using a compromised email account to send phishing emails makes it less likely they’ll be detected by email security solutions. This is called business email compromise, or ‘BEC’ and it presents a growing problem for organizations of all sizes. BEC causes 37% of cybercrime losses that are reported to the FBI, and over $43bn has been lost due to BEC attacks. But, when a bad actor doesn’t have access to a compromised account, they can rely on various tools to get their attack into the organization. These include legitimate email sending tools, such as those used for marketing and communication purposes, burner email addresses, and free webmail accounts. Additionally, impersonation attacks can leverage the organization’s own tools (Microsoft Azure AD and Outlook) to add authenticity to an attack.

Preventing the preventable

With the inner workings of the hacker’s toolkit exposed, the focus turns to cyber security best practice. By implementing regular security awareness and training (SA&T), organizations go some way to help empower their employees to identify and deal with phishing attempts before an attacker manages to steal valuable data. Additionally, organizations should augment their defenses with an integrated cloud email security solution (ICES). ICES solutions protect organizations from advanced email attacks by analyzing email content for signs of BEC.

With phishing attempts being a near-constant business threat, users engage at the point of risk, empowering them to not only understand why an email has been flagged as dangerous but also identify compromise from a trusted source.

About the Author

Jack is VP Threat Intelligence at Egress, with expertise on the cyber-threat landscape & trends, cyberattack psychology, and designing & developing intelligent cyber security solutions. He joined Egress in June 2021, having previously co-founded a phishing defense platform. He graduated from the University of York in 2015 with a bachelor’s degree in computer science.

Jack can be reached online at Jack Chapman | LinkedIn and at our company website www.egress.com