With this tool - described in this blog post - phishing procedures are listed by adversary. During your next adversary simulation, the information below can be used as input for crafting a realistic phishing lure. Please read the attached blog post for more information and examples.
| Category | Element | Choice |
|---|---|---|
| Context | Theme |
Recent event Examples: document for an ongoing project
Current themeExamples: COVID-19
Timeless activityExamples: failed sign-in attempt on account
|
| Sender | Known organization | |
| Goal |
Obtain information or initiate (offline) action Examples: CEO fraud, asking for personal information
Obtain credentialsLink sends victim to login page
Obtain access by malware on websiteLink sends victim to download page
Obtain access by malware in attachmentAttachment contains for example Office macro or ZIP file with malware
|
|
| Principle of influence |
Authority Examples: question from the CEO, request from know organization
|
|
| Medium | ||
| Content | Language and text | Language within organization Minor typos and punctuation errors were found Text is easy to understand, rare words are below average Text is engaging, so interesting / short to read Text gives a negative impression, not friendly |
| Design |
Internal corporate identity Text formatting and, for example, signature correspond to use within the organization
Copied corporate identityCorporate identity is a copy of original organization, like Google
Plain textNo style or formatting present
|
|
| Personal information | Email is impersonal, can be sent to anyone / all colleagues | |
| Domain name | Sender |
Email address is spoofed from own organization or known (relevant) organization Email address is exactly like a known entity due to incorrect email configuration
Email address uses typosquat name of own organization or known (relevant) organization as domain name
Email address is a variation of a known email address, where characters are omitted or replaced
Email address contains own organization name or known (relevant) organizationEmail address contains company name in the domain. Example: info@onedrive-download.com
|
| URL to phishing website | URL is typosquat name of known (relevant) authority URL is a variation of a well-known URL, where characters are omitted or replaced
URL appears to be from relevant / known organizationExample: URL contains for example the word 'Microsoft' or 'Office'
URL uses a link shortener serviceExamples: bit.ly, goo.gl
|
|
| Attachment or download | Document |
Office document with macro Examples: Word document, Word template file
Document in archivesExamples: RAR or ZIP archives
|
Last update: July 18, 2021
| Category | Element | Choice |
|---|---|---|
| Context | Theme |
Important value for the recipient Examples: local events
Current themeExamples: local news
|
| Sender | Known organization | |
| Goal |
Obtain access by malware on website Link sends victim to download page
Obtain access by malware in attachmentAttachment contains for example Office macro or ZIP file with malware
|
|
| Principle of influence |
Liking Example: email sent from someone they know
|
|
| Medium | ||
| Content | Language and text | Language within organization Minor typos and punctuation errors were found Text is easy to understand, rare words are below average Text is not engaging, is a little bit bland Text gives a negative impression, is not friendly |
| Design |
Plain text No style or formatting present
|
|
| Personal information | Email is impersonal, can be sent to anyone / all colleagues | |
| Domain name | Sender |
Email address uses typosquat name of own organization or known (relevant) organization as domain name
Email address is a variation of a known email address, where characters are omitted or replaced
Email address contains own organization name or known (relevant) organizationEmail address contains company name in the domain. Example: info@onedrive-download.com
|
| URL to phishing website |
URL of file sharing platform Example: Google Drive
|
|
| Attachment or download | Document |
Office document with macro
Examples: Word, Excel, Publisher and RTF documents
|
Last update: July 18, 2021
| Category | Element | Choice |
|---|---|---|
| Context | Theme |
Important value for the recipient Examples: job-specific knowledge
Current themeExamples: COVID-19
Timeless activityExamples: cryptocurrency
|
| Sender |
Known organization Unknown - but relevant - organisation |
|
| Goal |
Obtain access by malware on website Link sends victim to download page
Obtain access by malware in attachmentAttachment contains for example Office macro or ZIP file with malware
|
|
| Principle of influence |
Liking Example: message sent from someone with common connections
ReciprocationExample: "we are looking forward to you working with us"
ScarcityExample: offer new job for limited time
|
|
| Medium | Email Telegram |
|
| Content | Language and text | Language within organization Minor typos and punctuation errors were found Text is easy to understand, rare words are below average Text is engaging, so interesting / short to read Text gives a positive impression and is friendly |
| Design | Plain text No style or formatting present
|
|
| Personal information |
Email contains personal information obtained through social media Examples: job description
Email is impersonal, can be sent to anyone
|
|
| Domain name | Sender |
Email address is spoofed from own organization or known (relevant) organization Email address is exactly like a known entity due to incorrect email configuration
Email address from a public email serviceExample: using mail.ru email service
|
| URL to phishing website | URL of file sharing platform Example: Dropbox, OneDrive
|
|
| Attachment or download | Document | Office document with macro Examples: Word document, Word template file
PDF documentOther documents Example: Visual Studio project
|
Last update: July 18, 2021
| Category | Element | Choice |
|---|---|---|
| Context | Theme |
Current theme Examples: COVID-19
Timeless activityExamples: new meeting request
|
| Sender |
Known organization Unknown - but relevant - organisation |
|
| Goal |
Obtain access by malware on website Link sends victim to download page
Obtain access by malware in attachmentAttachment contains for example Office macro or ZIP file with malware
|
|
| Principle of influence |
Liking Example: email sent from someone they know
ScarcityExample: please make payment immediately
|
|
| Medium | ||
| Content | Language and text | Language within organization Incomplete sentences and punctuation errors were found Text is easy to understand, text not really formal Text is engaging, so interesting / short to read Text gives a negative impression, not friendly |
| Design |
Neutral corporate identity Corporate identity is neutral / attacker does not try to pretend to be another organization
Plain textNo style or formatting present
|
|
| Personal information | Email is impersonal, can be sent to anyone / all colleagues | |
| Domain name | Sender |
Email address contains name of known (relevant) organization Email address contains company name in the domain. Example: info@organization-office.com
Email address is irrelevant, but has a relevant sender nameEmail address is from a compromised email account, the sender name is changed to something or someone relevant
|
| URL to phishing website |
URL appears to be from relevant / known organization Example: URL contains for example the word 'Microsoft' or 'Office'
|
|
| Attachment or download | Document |
Office document with macro
Examples: Word, Excel, Publisher and RTF documents
HTML document
|
Last update: July 18, 2021