t's that time of the year, you're sitting at your desk and an email comes through stating "ACTION REQUIRED: Mandatory Compliance Training". You sigh and slightly roll your eyes, it's time for the annual compliance and IT security training videos as dictated by corporate.

For those of you who do not know what I am talking about, most companies with a basic IT Security practice conduct annual employee training and awareness. Often, training is conducted through online learning platform modules that consist of a simple video with a quiz at the end, which employees seem to think is a waste of time.

As a malicious actor, lets add some irony to the situation and send a phishing email disguised as one of the dreaded IT security modules! Many employees simply open the email and blindly click the link, hoping to quickly complete training and go on with their work routine. We can capitalize on this behavior to capture user credentials.

Requirements

In order to conduct this attack, you will need a machine which can host a website on the internet (tools like SEToolkit and MSFPro will handle the webserver part but you will need to make sure that the site/machine can be accessed externally). You will also need an SMTP/Email Server to handle sending your phishing emails (which are going to have a spoofed sender address).

Attack Storyboard

  1. Build your pretext email
  2. Build a convincing login portal (clone formatting from target company)
  3. Email to a large list of employees at the target company
  4. Watch the creds pour in… then demonstrate impact of external employee login portals lacking 2FA.

For the purpose of this post, we will pretend to be targeting 'VulnCompany'.

Building your pretext email

The pretext email consists of three important pieces:

  1. Sender email address (including domain)
  2. Subject line
  3. Email Body

All of these pieces need to fit the pretext against the target company.

Sender Email Address

Without inside knowledge of the target company's internal team structure, a good guess for our pretext would be to spoof the email address of 'IT Security ' or 'Compliance '. However, while many companies do not utilize SPF record checking, they do block spoofed emails that match their company's domain. There are many ways to get around this, provided that the company has not purchased or blacklisted similar domains. Possible sender domain names could be:

  • [email protected]
  • [email protected]
  • [email protected]
  • [email protected]

Subject Line

This one is easy. The goal is to create a subject line that inspires urgent/mandatory action to the receiving user. Simply use a legitimate subject line often sent by companies for compliance training: "ACTION REQUIRED: Mandatory Compliance Training".

Email Body

The body of your email should contain a call to action, requesting that a user clicks on a link to complete mandatory training. It is best to put a hard date in the email, usually within the next few days to make the user act fast. If you are giving the user a tight deadline, it may work better to state that this is a follow-up email to the original request and that the user 'only has x days remaining' to complete training.

Example Email:

Build a Convincing Login Portal

The best way to keep employees from getting suspicious is to provide a login portal that has a familiar look and feel. For each engagement I typically clone one of the target company's public facing login portals and slightly edit the page. My favorite tool for doing such is Metasploit Pro (MSFPro) which has a great 'site clone' feature in their phishing campaign option. However, if you're looking for a free tool (which is not as robust but gets the job done), check out SEToolkit. This post will not go in-depth on how to clone a site with MSFPro or SEToolkit as many guides already exist (just Google it).

Once you have cloned a login portal that would be familiar to the target company's employees, take the time to add a few touches which will make it appear like an IT Security compliance page. For example, if the login portal you cloned is the company VPN portal, make sure you change the site header to be 'IT Security Portal' and remove any VPN branding. An example page for 'VulnCompany' can be seen below:

The campaign could easily be over after a user enters their credentials. However, to keep them from getting suspicious and warning other co-workers, make a second page (using the same layout and styling as the login portal page) which has generic IT Security tips and redirect the user to this page after they click 'login'. For example…

To finish it off, you can make the 'I Agree' button create a popup which tells users 'Thank you for completing Annual IT Security training, you will now be redirected to our VulnCompany's home page', and then redirect the user as stated.

TIP - Metasploit Pro has a built-in graphical phishing campaign feature which does the following:

  • Manages the entire email creation and sending process
  • Creates dynamic links for each user sent to, which keeps track of who opened the email, who clicked on the link, and who inserted credentials
  • Clones other websites and starts a local webserver to host the malicious site (has an editor to allow page modifications)
  • Captures input credentials and stores responses from each email address targeted

Email Your Targets

With the campaign all set, it is time to email your targets. However, before doing such, make sure you send the false email to yourself and test that credentials are properly being captured. There is nothing worse than blowing your entire campaign by sending out a broken email or login portal to all of your targets.

To find targets within the company, perform open source intelligence gathering (OSINT). My favorite is to either find employees of the company on LinkedIn or to search the company's website for a directory of employees. Some tools you can use for OSINT:

  • The Harvester
  • LinkScrape.py
  • Recon-NG

Get Credz, Demonstrate Impact

Wait a bit for credentials to start pouring in. Once you have them, do your happy dance, and then make sure you demonstrate the impact of capturing these credentials. Often I look for VPN login portals or externally facing Outlook capabilities (OWA) and log in with captured credentials to ensure that they are valid, and to also show the client what can be accessed.


Hope this phishing pretext is useful.

Happy phishing,

-Ac3lives