The Anatomy of Great Phishing Emails
Phishing is a popular technique used by hackers to steal confidential information from unsuspecting victims. They do this by sending out emails that look like they are from a trusted company or individual, but in reality, they are not.
Phishing emails are emails that try to trick you into disclosing personal information, such as passwords and credit card numbers. Phishing emails can be hard to identify because they look like legitimate messages from companies or organizations you know. It's important to be able to identify a phishing email so that you don't fall victim to a scam and lose your personal information.
The goal of these phishing emails is to get the victim to click on an embedded link or attachment, which can then download malware onto their computer. Once the victim has clicked on the link or downloaded the attachment, their computer is compromised and the hacker can do whatever they want with it. They can steal personal information such as bank account numbers and passwords and then use them for identity theft. They could also use this information to access sensitive files stored on their computer.
But that’s not all. Sometimes, phishing emails are simply trying to trick the user into doing something. For example, they may send an email to an accountant that appears to be from the CEO asking for the accountant to wire some money.
Note: This is a guide to show people how easy and cheap it is to create a phishing campaign. I hope no one would follow this advice. Plus, I intentionally left out a few key details so you would get caught if you attempted to do this.
The attack strategy
There are two common attack strategies: whaling and spear phishing. Whaling is typically targeting very specific people within an organization. Spear phishing is still fairly targeted but typically targets a category of people. Let’s take a quick look at 2 examples.
Whaling
The hacker may follow the CEO on LinkedIn and Facebook. Then gather information, for example, the email address, and signature of the CEO. Then wait for the CEO to leave the country or go on a road trip. Once the CEO leaves the office the hacker can send an email to an accountant saying “My car broke down. Please wire $10,000 to bank account XXX”. This is a whaling attack
Spear Phishing
In this scenario, the hacker may gather 1,000 email addresses of different users in different companies that all use Microsoft 365. Then they send an email to all 1,000 users saying “I’m from Microsoft you need to click this link and login or your account will be deleted” Once someone goes to the link and enters their credentials the hacker can then access the user’s mailbox and other Microsoft 365 data.
Finally, we are through the background information
Phew, we are through the background information. Let’s craft our excellent phishing email. In our scenario, we’ll use a spear phishing attack.
Our goal
The goal of our phishing campaign is to get the username and password for Microsoft 365 users. To do that, we’ll send our victims fake emails from Microsoft. We’ll pretend to be from Microsoft targeting Microsoft 365 users. Let's tell them their mailboxes are almost full and they need to go to a website and log in. We'll tell them it's to enable the Auto Expanding Mailbox feature. Once a user logs in (giving us their credentials) we'll say something like "It's all set up. No need to worry about the mailbox size anymore" Most likely, the user will think they now have enough space to continue working and they'll forget all about us.
Great subject lines for phishing emails
The subject line of a great phishing email is critical. It’s what makes or breaks any email. Will it entice the user to open and read the email? Does it follow the logical flow of the campaign? Lastly, does it create urgency so the victim will click on the link and enter their credentials before anyone notices our attack and blocks us / warns everyone? In our example, we are using a spear phishing attack from Microsoft so it wouldn’t make sense to use “Free vacation home rental”. Let’s copy a message from Microsoft 365. Let’s go with “Your mailbox is almost full.”
The from address
Other than the subject line the from address is the second thing someone notices and checks. It’s where someone will first look and ask “Who is this from?” If it’s from their mother or CEO they’ll probably pay closer attention. But again, we aren’t whaling here. We are sending a phishing attack to a thousand users and hoping to snag a couple.
Now, there are two parts to an email address: Domain & Username.
- The domain name and the username. The domain name is everything after the @ symbol. For example, in john@gitbit.org the gitbit.org part is the domain name.
- The username. That’s everything before the @ symbol. In the example john@gitbit.org it’s the john part of the email address.
With our spear phishing strategy, it wouldn’t make sense for the email to be coming from gmail.com. No, we will need a legitimate domain to send the emails from. Let’s use supportmicrosoft365.com. It looks legitimate enough to full a few victims.
Purchase a domain name
Being the cunning attacker we are we purchase the domain! I know, it seems crazy but you have to spend money to make money. So hop on over to Unstoppable Domains and sign up. Once signed up simply buy the domain!
Purchase a cloud email provider
Once we've purchased the domain name we can hop into Microsoft 365 and purchase a new tenant. So jump on over to www.microsoft.com and purchase yourself a Microsoft 365 tenant. Now, we’ll set up our MX records, SPF, DKIM, and DMARC records. Let’s make sure we get through the spam/phishing filters!
Now that we picked out the domain name let's pick a username. Using Bill Gates wouldn't make sense because why is Bill sending emails about mailboxes being full? No, we need it to appear legit. At first, I thought "Support" but then I read the email out loud and it sounded funny Support@supportmicrosoft365.com. The 2 supports are throwing me for a loop. Let's use CustomerCare. CustomerCare@supportmicrosoft.com sounds good. So go to your Microsoft 365 tenant and create your username.
Email warm-up service
Now that we purchased the domain and picked our email address, we know spam filters look at one more thing. The length of time the domain has been purchased and if there have been legitimate emails flowing from the domain. Instead of sending emails to our friends (that may identify us as the hacker later) let’s use an email warm-up service. These services are used to send/receive seemingly legitimate emails to a mailbox so email providers think it’s a legit email domain/address. So let's pop on over to Warmup Inbox and sign up. Now some people say a couple of weeks is long enough of a warm-up, but we're pros. Let's let that run for 6 months.
Gather email addresses
Next, we'll need to gather some email addresses. So go over to Apollo gather a list of email addresses and export them to CSV.
The body of the email
Now we're to the bread and butter. The meat and potatoes. We already set up the hook and line, now for the sinker. The body of the email. Let's just copy the body of an email I've received from Microsoft 365 prior.
With this template, we are practically there. Heck, we can just change the words. We can leave the font and the pretty image showing the 49.11 GB to 49.5 GB. All we need to do is change the "To make room in your mailbox, delete any items you don't need and empty your Deleted Items folder." to "Your IT team has enabled the auto-expanding feature for your mailbox. To activate please go to enable auto-expanding mailbox."
So here's the million-dollar question. How do you make sure none of your users fall for such an attack?
Go to Protecting email against phishing attacks for a getting-started guide on phishing protection.
Go to Simulating attacks with Microsoft 365 for a getting-started guide on setting up phishing simulations to teach your users.