Three Steps and Five Effects of the Phishing Attack Kill Chain

The standard 3-step process common to all phishing attacks is known as the “phishing attack kill chain.” By understanding the phishing attack kill chain and its five most frequent effects, you will be better equipped to stay off the hook no matter what variety of phish lands in your inbox today. And in so doing, you'll break the chain against future attacks tomorrow.

Post hero image

Table of contents

Reduce your human cyber risk
Hoxhunt's adaptive security training dramatically increases engagement and security resilience.
Learn more

Cybercriminals use all sorts of phishing attacks to hook all sorts of people into giving up all sorts of sensitive information with a single bad click. In this article, I'm not focusing on recent phishing attacks nor the attack vectors themselves. Rather, I aim to reveal the common elements of the phishing attack process, which differs very little from one attack to the next.

The standard 3-step phishing attack process is known as the attack kill chain, and it breaks down to:

  • Reconnaissance
  • Creating the phishing email (threat vector)
  • Delivering the payload (attack)

By understanding the three steps of the phishing attack kill chain and its five most frequent effects, you will be better equipped to stay off the hook no matter what scam lands in your inbox.

Step 1: Reconnaissance

This is by far the most important part of a successful attack. The first link in the phishing attack kill chain begins with gathering information about the target in order to create a malicious email that’s relevant to the intended victim. Personal relevance increases the odds of opening a phishing email and taking action with a bad click.

It all begins with finding the victim's email address. Sometimes attackers test different addresses by just sending emails with a title like “test” or “hello” to see if an address is used and whether the recipient will respond. The same approach also works in real-life burglaries. Burglars rarely just break in to a house at random—they case the grounds first, looking for weaknesses and determining which house offers the most bang-for-buck in terms of risk and reward. Where can they steal the most loot with the lowest effort and smallest risk of getting caught?

The main tool for reconnaissance today is social media. Social media profiles are gold mines of personal information. People can be way too open about themselves in social media, with too few worries about how all those pics and updates and personal/professional information they’re releasing could be used as data in an attack against them.

The amount of data needed for an attack depends on its level of sophistication. When an attack is highly sophisticated—e.g. a spear phish, a business email compromise attack, or anything where a specific person is targeted—the attacker must first acquire details about the target. Spear phishing attacks often use earlier breaches in which a business email was compromised. Otherwise, they go after email addresses on specific services so they can hijack that service with an attack email referring to, or sent from, that service to convince the recipient of its authenticity.

A sense of urgency and personal responsibility to respond to an email advances a spear phishing attack. They don’t look like spam. The target must be so curious about the subject line that he or she opens the email. At that point they are already halfway reeled in.

Step 2: Crafting the phishing email

Once the target’s personal information is gathered and analyzed, the attacker crafts an email too tempting, or triggering, for the recipient to resist opening. Phishing emails usually rely on triggering an intense emotional response, be it elation or fear. The sender could promise something valuable, like a lottery win, to the intended victim—or they could try to scare the victim into taking hasty action with things like false notifications of a compromised account, unknown payments, virus detection, etc...

A successful email is about form as well as messaging. It’s got to look convincing. So how do attackers make the phishing email look like the real deal?

  1. Legitimate information: Spoofed domains, fake brand logos or other public information gleaned from the internet. The more real information an attack email contains, the more legitimate its sense of context will be. Moreover, it helps trick email spam filters.
  2. Shortened links: Tricks spam filters and also camouflages the malicious URL.
  3. Sparse text: The message reveals little in the email body while promising more information behind the link, which increases the recipient’s curiosity and willingness to act further.
  4. Shared services: Well-known services used in the business world are also a popular vector attackers use to spread malicious files (e.g. Fax services, Dropox).

Step 3: The attack/delivery

With the email crafted, now it’s time for the attacker to send the phishing email to the targeted victim. The attacker delivers the malicious email containing the threat via URL or attachment to the target. After sending the email attack to one or to multiple recipients, the attacker waits until someone takes the bait.

Possible results

Some unfortunate end users will feel the urge to take the action orchestrated by the attacker. Such action could be clicking on URLs, filling in fraudulent forms, downloading attachments and/or responding with sensitive information.

The attacker either capitalizes directly on the victim's actions (harvests credentials, steals money in a payment scam), or the attacker could sit in the victim's system anonymously, waiting and gathering  data until the right moment presents itself to strike.

Five effects of the three-step phishing attack kill chain

Credential harvesting is the most usual outcome of a phishing attack. The victim has been lured into opening a link, which redirects them to a landing page that requests things like an account login and password, or sensitive personal details, etc.. This will actually be a spoofed website on the attacker’s web server. Engagement with it delivers the victim’s account name and password to the attacker on a silver platter.

Stolen credentials can be valuable to attackers in 5 ways.

  1. Skeleton key: Because many people use the same password across multiple services, a single breach often expands the attack surface significantly. The attacker might, for instance, obtain Outlook credentials with the aim of getting access to banking services and IP-sensitive corporate systems.
  2. Impersonation: Alternatively, the attacker could use a compromised email address to impersonate the user and blast out phishing emails to a host of newly discovered potential victims from the victim’s address list.
  3. Darkweb sale: For a quick buck, the criminal could just sell the victim's data on the darknet.
  4. Malware and ransomware: Attached malicious files (with the most popular filetypes being: .exe/.xlss/.pdf/.doc/.zip) contain programs that could be used to steal or delete sensitive data. Ransomware has made the splashiest headlines over the past two years; it encrypts and hijacks the victim’s files or entire network, locking it until a ransom is paid to open it back up.
  5. Payment scams: Sometimes phishing emails won’t have any attached files or links to malicious sites. Phishing emails can also push people into loan scams, gift card scams, social security scams and advance fee scams. In these scams, victims are typically tricked into paying various fees through financial vehicles of wire transfers or gift cards (which are as untraceable and cybercriminal-friendly as bitcoin) for the release of a much larger reward promised down the road, which of course is a dead end paved in pure fiction.

No action taken breaks the phishing attack kill chain

Remember, cybercrime is an organized criminal industry. These criminals approach victims with a strategic business mindset similar to a sales and marketing campaign. Criminals want to channel their resources towards converting potential “customers” most likely to pay out. Therefore, the attacker will  often leave an unengaged user alone with future attacks. But victims who open and act on phishing emails inadvertently sign up for even more phishing attacks as they become marked as a “high profile,” or easier, target in the criminal’s database.

By not opening or acting on a phishing email today, you’re less likely to be attacked tomorrow. The attacker gets nothing and the targeted user becomes categorized as a “low profile” target.  Still, some attackers could try to hit their target with multiple emails; particularly if the target is high-value, e.g. a C-level executive, and the attacker is committed to a sophisticated spear phishing or whaling attack.

3 tips to improve your organizational security

  1. Use Multi-factor authentication in services where it's enabled!
  2. Security training with phishing simulations. Phishing emails are constantly evolving with current events and technologies that they come in an endless variety. It’s important to give employees frequent practice with improving their cybersecurity skills in a safe environment via simulations. Nothing else prepares people as effectively for how to react correctly when a real phish lands in their inbox.
  3. Hover over the link, but don’t click. There is no situation that demands you act upon an email immediately. Stay calm and trust your instincts.
Pop quiz: What is the most meaningful security training metric? If you said "failure," you just failed. But that's OK! Failure is a misleading metric. We analyzed 1.6 million users' responses to 24.7 million phishing simulations. The results? A host of insights into how different people respond to phishing training. The findings are pretty wild, and extremely useful. Click here or on the image above to read more!

Hoxhunt response

We are seeing what experts have predicted: The fighting in Ukraine contains an unprecedented cyber war dimension. Fallout will seep into inboxes around the world. Our Threat Analysis Team examines tens of thousands of reported phishing emails, including ones like these, a week–and have captured tens of millions of threats to date. Working together with our powerful machine learning model, they cluster the threats, rate them, and incorporate the nasty ones into our training simulations in real time to ensure our training stays at the cutting edge of the constantly-evolving threat landscape. Hoxhunt users are thus drilled on spotting and reporting the latest actual threats making the rounds, removing potentially catastrophic threats from your system with every push of the Hoxhunt reporting button. Also learn how to equip your employees with the phishing training that will protect your company from scams.

Want to learn more?
Be sure to check out these articles recommended by the author:
Get more cybersecurity insights like this