Spear Phishing - Anatomy of a Targeted Attack

🎯

Attack Type

Targeted Social Engineering

Personalized to exploit individual trust, role, and context unlike mass phishing

📊

Success Rate

65–91% Open Rate

Vs. ~3% for generic phishing - personalization dramatically increases deception

💰

Primary Goal

Credential Theft & Initial Access

Harvest login credentials, session tokens, or plant malware for deeper network access

Attack Flow Diagram - Click any node to explore

🔍

PHASE 01

Target
Selection

OSINT & Recon

🕵️

PHASE 02

Intel
Gathering

Profile Building

✉️

PHASE 03

Lure
Crafting

Pretext Design

🖥️

PHASE 04

Delivery &
Deception

Email / Link Drop

🪤

PHASE 05

Credential
Capture

Fake Login Page

💀

PHASE 06

Exploitation
& Pivot

Access & Persistence

Interactive Step-Through - Navigate Each Attack Phase

// Phase 01 - Reconnaissance

Target Selection

Attackers identify high-value individuals with access to sensitive systems, finances, or data. They prioritize targets with the right combination of access level, vulnerability, and exploitable context.

Finance, HR, and IT staff with elevated permissions are primary targets
C-suite executives targeted for Business Email Compromise (BEC)
New employees - unfamiliar with procedures, eager to comply
Third-party contractors with internal system access
Individuals recently mentioned in news, press releases, or org charts

// Tools Used

LinkedIn - Job titles, org structure, tech stack
Google Dorking - Exposed employee directories
WHOIS / Shodan - Domain & infrastructure intel
Twitter / X - Personal context, travel patterns
Company Website - Leadership bios, contacts

76%

of orgs targeted by spear phishing last year

2–5

days avg. attacker spends on recon per target

// Attacker Mindset

"The CFO just posted on LinkedIn about closing a $40M acquisition deal. I know her name, her assistant's name, and which bank they use. Now I craft the perfect wire-transfer pretext."

// Phase 02 - Intelligence Gathering

Building the Profile

Attackers aggregate personal and professional data to construct a detailed victim profile. The goal is to make the eventual lure indistinguishable from a legitimate communication the target would expect to receive.

Map reporting structure - who does the target answer to?
Identify communication style from public posts and emails
Find current projects, vendors, or partners the target works with
Harvest email format from breach databases or guessing (first.last@company.com)
Identify software stack - what login portals does the company use?

// Data Sources Mined

HaveIBeenPwned
Previous breaches expose real passwords and email formats

Glassdoor / Indeed
Job postings reveal internal tech stack (Salesforce, Okta, SAP)

Conference Schedules
Travel windows = reduced vigilance, different device usage

91%

of breaches start with a phishing email

$4.9B

lost to BEC attacks in 2023 (FBI IC3)

// Phase 03 - Pretext Design

Crafting the Lure

Using gathered intelligence, attackers craft a highly personalized message. Every detail - sender name, email domain, subject line, tone, referenced projects - is engineered to bypass suspicion and trigger action.

Spoof or register lookalike domains (microsofft.com, paypa1.com)
Impersonate boss, colleague, vendor, or IT department
Reference real ongoing projects or recent company events
Create urgency or fear ("Account will be suspended in 24 hours")
Embed malicious links in legitimate-looking DocuSign, SharePoint lures

// Example Spear Phishing Email

From: james.cfo@acme-corp.co
Subject: RE: Q4 Audit - DocuSign Required by EOD

Hi Sarah,

Per our call with Deloitte this morning, I need your sign-off on the attached audit summary before 5pm. Please use the secure portal below.

→ https://docusign-acme.secure-auth.net/sign

Thanks,
James
VP Finance, Acme Corp

// Why It Works

✓ Real colleague name & title
✓ References a real vendor (Deloitte)
✓ Familiar context (audit season)
✓ Urgent deadline creates pressure
✓ Lookalike domain looks plausible

// Phase 04 - Attack Delivery

Delivery & Deception

The crafted lure is delivered via the most trusted channel available. Email remains dominant, but attackers increasingly use SMS (smishing), voice calls (vishing), LinkedIn, Teams, and Slack to reach targets where defenses are lower.

Email with spoofed sender header via compromised relay server
Malicious attachments: macro-enabled Office docs, weaponized PDFs
Multi-stage: first email establishes trust, second delivers payload
Adversary-in-the-middle (AiTM) proxy captures credentials AND session tokens
Timing attacks: sent during travel, evenings, or high-stress periods

// Delivery Vectors

📧 Corporate Email - Most common, highest trust
💬 Slack / Teams - Bypasses email filters entirely
📱 SMS (Smishing) - Mobile = lower security culture
🔗 LinkedIn DMs - "Recruiter" or vendor persona
📞 Voice (Vishing) - Preconditions email victim

68s

median time from email delivery to first click

3×

higher success on mobile vs desktop

// Phase 05 - Capture

Credential Harvesting

The target lands on a cloned, pixel-perfect replica of a trusted login portal. Credentials entered are silently captured and forwarded to the attacker's command server. MFA can be bypassed via real-time AiTM proxy techniques.

Pixel-perfect clone of Microsoft 365, Okta, Google Workspace login
Valid TLS certificate installed - padlock icon shows green ✓
AiTM proxy (Evilginx2, Modlishka) relays credentials AND steals MFA tokens
After capture, victim is redirected to real site - never suspects compromise
Credentials tested and validated automatically within seconds

// How AiTM Bypasses MFA

1. Victim → Fake Proxy Site (attacker)
2. Proxy → Real Microsoft Login (forwards)
3. Microsoft → Sends MFA challenge to victim
4. Victim → Enters MFA code on fake site
5. Proxy → Forwards code to Microsoft
6. Attacker captures session token - MFA bypassed

// Detection Window

Most organizations take 197 days to detect a breach. Credential theft often goes unnoticed until privilege escalation or data exfiltration triggers an alert.

// Phase 06 - Post-Compromise

Exploitation & Pivot

With valid credentials and session tokens, attackers establish persistence and begin lateral movement. From a single compromised inbox, they can escalate privileges, pivot to cloud infrastructure, exfiltrate data, or deploy ransomware.

Email inbox access - forward rules set to exfiltrate sensitive comms
SSO abuse - one set of credentials unlocks dozens of connected SaaS apps
BEC payoff - finance staff impersonated to authorize fraudulent wire transfers
Lateral movement via phishing internal colleagues from compromised account
Ransomware deployment or data exfiltration as final-stage payload

// Attacker Actions Post-Login

[00:00] Session token captured
[00:02] Email inbox rules modified (blind CC exfil)
[00:05] Contacts harvested for lateral campaigns
[00:12] SharePoint / OneDrive enumerated
[00:30] New OAuth app registered (persistence)
[Day 3] Finance impersonation → wire transfer attempt

$4.9B

total BEC losses 2023

197d

avg. dwell time undetected

Step 1 of 6

Defender Countermeasures

🔐

FIDO2 / Passkeys

Hardware-bound authentication (YubiKey, passkeys) is immune to AiTM proxy attacks - credentials are cryptographically tied to the legitimate domain.

🧠

Security Awareness Training

Regular simulated spear phishing campaigns train employees to recognize personalized lures. Focus on urgency triggers and unexpected login prompts.

📧

DMARC / DKIM / SPF

Enforce strict email authentication to prevent domain spoofing. Monitor for lookalike domain registrations targeting your brand.

👁️

Behavioral Analytics (UEBA)

Detect anomalous post-login behavior: impossible travel, new inbox rules, bulk downloads. Alert on first-time OAuth app registrations.

🛡️

Zero Trust Architecture

Never trust, always verify. Implement conditional access policies that require device compliance and risk-based re-authentication for sensitive actions.

🌐

Secure DNS & URL Filtering

Block newly registered domains, lookalike URLs, and known phishing infrastructure at the DNS layer before credentials are ever entered.