Phishing Attacks Complete Guide

1. Phishing Fundamentals

Phishing is a social engineering attack that uses deceptive communications to trick users into revealing sensitive information, clicking malicious links, or downloading malware. It remains the most effective initial access vector for attackers.

Why Phishing Works

• Trust exploitation: Impersonates known entities
• Urgency: Creates pressure to act quickly
• Authority: Poses as executives, IT, banks
• Fear: Threatens account suspension, legal action
• Curiosity: "You won!" "Check this out!"

2. Types of Phishing Attacks

3. Attack Techniques

Email Spoofing

# SMTP doesn't verify sender by default
# Attacker can set any "From" address

# Check email headers for:
Received: from mail.attacker.com (actual server)
From: [email protected] (spoofed address)

# SPF, DKIM, DMARC prevent spoofing when properly configured

Lookalike Domains

# Typosquatting examples:
company.com → cornpany.com (rn = m)
company.com → company.co
company.com → company-secure.com
company.com → cоmpany.com (Cyrillic 'о')

# Unicode/Punycode attacks
# аррӏе.com looks like apple.com but uses Cyrillic
# xn--80ak6aa92e.com (punycode)

Link Manipulation

# Display text vs actual URL
https://bank.com/login

# URL shorteners hide destination
https://bit.ly/abc123 → http://phishing-site.com

# Open redirect exploitation
https://trusted.com/redirect?url=http://evil.com

4. Red Team Phishing

GoPhish Setup

# Install GoPhish
wget https://github.com/gophish/gophish/releases/download/v0.12.1/gophish-v0.12.1-linux-64bit.zip
unzip gophish-*.zip
./gophish

# Access at https://localhost:3333
# Default creds in terminal output

# Campaign setup:
# 1. Create email template (clone legit email)
# 2. Create landing page (clone login page)
# 3. Set up sending profile (SMTP)
# 4. Create user group (targets)
# 5. Launch campaign, track results

Evilginx2 (Credential + MFA Bypass)

# Evilginx is a man-in-the-middle framework
# Captures credentials AND session tokens
# Can bypass MFA!

./evilginx2
: config domain yourdomain.com
: config ip YOUR_IP
: phishlets hostname o365 login.yourdomain.com
: phishlets enable o365
: lures create o365
: lures get-url 0

# Victim visits phishing link → proxied to real site
# All credentials and cookies captured

5. Detection Methods

Email Header Analysis

# Key headers to check:
Received: (trace email path)
Return-Path: (bounce address)
X-Originating-IP:
Authentication-Results: spf=pass dkim=pass dmarc=pass

# SPF fail = likely spoofed
# DKIM fail = possibly modified
# DMARC fail = definitely suspicious

Red Flags

• Urgent/threatening language
• Generic greetings ("Dear Customer")
• Mismatched URLs (hover to check)
• Spelling/grammar errors
• Unexpected attachments
• Requests for credentials or money

6. Enterprise Defense

# DMARC record example
_dmarc.company.com TXT "v=DMARC1; p=reject; rua=mailto:[email protected]"

# p=none (monitor), p=quarantine, p=reject
# Start with none, move to reject after monitoring

7. Security Awareness Training

• Phishing simulations: Regular testing with realistic scenarios
• Just-in-time training: Education when user fails simulation
• Report button: Easy way to report suspicious emails
• Metrics tracking: Click rates, report rates over time
• Executive training: Whaling targets need extra attention

8. Tools & Platforms

Offensive

• GoPhish: Open-source phishing framework
• Evilginx2: MFA bypass phishing proxy
• King Phisher: Feature-rich phishing toolkit
• Social Engineering Toolkit (SET): Multi-vector attacks

Defensive

• KnowBe4: Security awareness platform
• Proofpoint: Email security + awareness
• Cofense: Phishing detection and response

FAQ

Social Engineering Incident Response OAuth Security