Adversary phishing characteristics

With this tool - described in this blog post - phishing procedures are listed by adversary. During your next adversary simulation, the information below can be used as input for crafting a realistic phishing lure. Please read the attached blog post for more information and examples.

Category Element Choice
Context Theme Recent event
Examples: document for an ongoing project
Current theme
Examples: COVID-19
Timeless activity
Examples: failed sign-in attempt on account
Sender Known organization
Goal Obtain information or initiate (offline) action
Examples: CEO fraud, asking for personal information
Obtain credentials
Link sends victim to login page
Obtain access by malware on website
Link sends victim to download page
Obtain access by malware in attachment
Attachment contains for example Office macro or ZIP file with malware
Principle of influence Authority
Examples: question from the CEO, request from know organization
Medium Email
Content Language and text Language within organization
Minor typos and punctuation errors were found
Text is easy to understand, rare words are below average
Text is engaging, so interesting / short to read
Text gives a negative impression, not friendly
Design Internal corporate identity
Text formatting and, for example, signature correspond to use within the organization
Copied corporate identity
Corporate identity is a copy of original organization, like Google
Plain text
No style or formatting present
Personal information Email is impersonal, can be sent to anyone / all colleagues
Domain name Sender Email address is spoofed from own organization or known (relevant) organization
Email address is exactly like a known entity due to incorrect email configuration
Email address uses typosquat name of own organization or known (relevant) organization as domain name
Email address is a variation of a known email address, where characters are omitted or replaced
Email address contains own organization name or known (relevant) organization
Email address contains company name in the domain. Example: info@onedrive-download.com
Attachment or download Document Office document with macro
Examples: Word document, Word template file
Document in archives
Examples: RAR or ZIP archives
Last update: July 18, 2021
Category Element Choice
Context Theme Important value for the recipient
Examples: local events
Current theme
Examples: local news
Sender Known organization
Goal Obtain access by malware on website
Link sends victim to download page
Obtain access by malware in attachment
Attachment contains for example Office macro or ZIP file with malware
Principle of influence Liking
Example: email sent from someone they know
Medium Email
Content Language and text Language within organization
Minor typos and punctuation errors were found
Text is easy to understand, rare words are below average
Text is not engaging, is a little bit bland
Text gives a negative impression, is not friendly
Design Plain text
No style or formatting present
Personal information Email is impersonal, can be sent to anyone / all colleagues
Domain name Sender Email address uses typosquat name of own organization or known (relevant) organization as domain name
Email address is a variation of a known email address, where characters are omitted or replaced
Email address contains own organization name or known (relevant) organization
Email address contains company name in the domain. Example: info@onedrive-download.com
Attachment or download Document Office document with macro
Examples: Word, Excel, Publisher and RTF documents
Last update: July 18, 2021
Category Element Choice
Context Theme Important value for the recipient
Examples: job-specific knowledge
Current theme
Examples: COVID-19
Timeless activity
Examples: cryptocurrency
Sender Known organization
Unknown - but relevant - organisation
Goal Obtain access by malware on website
Link sends victim to download page
Obtain access by malware in attachment
Attachment contains for example Office macro or ZIP file with malware
Principle of influence Liking
Example: message sent from someone with common connections
Reciprocation
Example: "we are looking forward to you working with us"
Scarcity
Example: offer new job for limited time
Medium Email
Twitter
LinkedIn
Telegram
Content Language and text Language within organization
Minor typos and punctuation errors were found
Text is easy to understand, rare words are below average
Text is engaging, so interesting / short to read
Text gives a positive impression and is friendly
Design Plain text
No style or formatting present
Personal information Email contains personal information obtained through social media
Examples: job description
Email is impersonal, can be sent to anyone
Domain name Sender Email address is spoofed from own organization or known (relevant) organization
Email address is exactly like a known entity due to incorrect email configuration
Email address from a public email service
Example: using mail.ru email service
Attachment or download Document Office document with macro
Examples: Word document, Word template file
PDF document
Other documents
Example: Visual Studio project
Last update: July 18, 2021
Category Element Choice
Context Theme Current theme
Examples: COVID-19
Timeless activity
Examples: new meeting request
Sender Known organization
Unknown - but relevant - organisation
Goal Obtain access by malware on website
Link sends victim to download page
Obtain access by malware in attachment
Attachment contains for example Office macro or ZIP file with malware
Principle of influence Liking
Example: email sent from someone they know
Scarcity
Example: please make payment immediately
Medium Email
Content Language and text Language within organization
Incomplete sentences and punctuation errors were found
Text is easy to understand, text not really formal
Text is engaging, so interesting / short to read
Text gives a negative impression, not friendly
Design Neutral corporate identity
Corporate identity is neutral / attacker does not try to pretend to be another organization
Plain text
No style or formatting present
Personal information Email is impersonal, can be sent to anyone / all colleagues
Domain name Sender Email address contains name of known (relevant) organization
Email address contains company name in the domain. Example: info@organization-office.com
Email address is irrelevant, but has a relevant sender name
Email address is from a compromised email account, the sender name is changed to something or someone relevant
Attachment or download Document Office document with macro
Examples: Word, Excel, Publisher and RTF documents
HTML document
Last update: July 18, 2021