Technical defenses are getting stronger. It costs $0 to send an email, but $1M to buy a Zero-Day exploit for Chrome. This is why 90% of all cyberattacks start with Phishing. It is the path of least resistance.
The Evolution of Phishing
Forget the "Nigerian Prince". Modern phishing uses AI to write perfect English, scrapes your LinkedIn to know your boss's name (Spear Phishing), and uses "Adversary-in-the-Middle" (AiTM) proxies to bypass Multi-Factor Authentication (MFA).
1. The Technical Setup: GoPhish
To train your employees, you must think like an attacker. GoPhish is the industry standard open-source phishing framework.
1.1. Infrastructure
You need a VPS and a domain name that looks "close enough" to the target.
Target: company.com
Attacker: company-support-portal.com
1.2. JSON Config for Campaign
GoPhish allows you to define "Sending Profiles" and "Landing Pages".
2. Advanced Tactics: Bypassing MFA
This is the most dangerous trend. Traditional phishing steals the password. If the user has 2FA (SMS code), the password is useless.
2.1. Adversary in the Middle (AiTM)
Tools like Evilginx2 sit between the victim and the real Microsoft 365.
1. Victim enters password on Evilginx.
2. Evilginx enters password on Real Site.
3. Real Site asks for SMS code.
4. Evilginx asks Victim for SMS code.
5. Victim enters code. Evilginx logs in.
Result: Attacker captures the Session Cookie. They can now access the account without needing the password or the phone again.
3. Email Authentication Defense (DMARC)
How do you stop people from spoofing `[email protected]`? You need DNS records.
| Protocol | Function | DNS Record Type |
|---|---|---|
| SPF | "Who is allowed to send email for this domain?" (List of IPs) | TXT |
| DKIM | "Was this email modified in transit?" (Digital Signature) | TXT |
| DMARC | "What should I do if SPF/DKIM fail?" (Reject/Quarantine) | TXT |
3.1. Setting up SPF
If you use Google Workspace and Mailgun, your record should look like this:
~all (Soft Fail) means "mark as spam".
-all (Hard Fail) means "reject immediately".
3.2. Setting up DMARC
This is the policy that enforces the rules.
p=reject is the gold standard. It means if a hacker in Russia tries to send email as you, it gets deleted before it hits the victim's inbox.
4. Psychological Triggers (OSINT)
Why do people click? It's not stupidity; it's psychology.
1. Urgency: "Pay this invoice by 5 PM or we sue."
2. Authority: "Message from CEO: Need you to buy gift cards."
3. Curiosity: "Look at these photos from the party."
Reconnaissance: Attackers use tools like theHarvester to scrape LinkedIn. They know your CFO just hired a new assistant. They will email the assistant pretending to be the CFO.
Training Program
Don't punish users who click. Teach them.
Run monthly simulations.
If they click, show a "Teachable Moment" page immediately.
The goal is to lower the "Click Rate" from 30% to <5%.