Phishing is a social engineering attack in which an adversary sends a fraudulent communication (typically email, but also SMS, voice, or messaging platforms) designed to trick the recipient into revealing credentials, installing malware, transferring funds, or performing another action that benefits
Continue your mission
# Phishing
Phishing is a social engineering attack in which an adversary sends a fraudulent communication (typically email, but also SMS, voice, or messaging platforms) designed to trick the recipient into revealing credentials, installing malware, transferring funds, or performing another action that benefits the attacker. The communication impersonates a trusted entity: a colleague, a vendor, a bank, a cloud service provider, or an executive.
Phishing is the single most common initial access vector for cyberattacks. Verizon's 2024 Data Breach Investigations Report found that phishing and pretexting (a related social engineering technique) accounted for the majority of social engineering attacks, and social engineering was involved in a significant percentage of all breaches. Phishing is not sophisticated. It is effective. It works because it targets the one component of any security architecture that cannot be patched, firewalled, or automated away: human judgment.
The economic model is simple. An attacker sends 10,000 phishing emails. If 3% of recipients click the link (a typical rate for untrained organizations), 300 credentials are compromised. If 1% of those credentials provide access to something valuable, the attacker has three footholds from a single campaign. The cost of sending 10,000 emails is negligible. The return on one successful compromise can be millions of dollars (ransomware deployment, business email compromise fraud, data exfiltration for extortion).
Email phishing (mass). The most common variant. Generic emails sent to large recipient lists, impersonating well-known brands (Microsoft 365, Google, Amazon, banks, shipping companies). The emails typically contain a link to a fake login page that captures credentials, or an attachment that delivers malware. Mass phishing relies on volume: low sophistication, wide distribution, and a small percentage of successful compromises.
Spear phishing. Targeted phishing directed at a specific individual or organization. The attacker researches the target: their role, their projects, their colleagues, their writing style, their recent activity (often gathered from LinkedIn and social media). The phishing email is crafted to be contextually relevant. "Hi Sarah, here's the Q3 budget review Doc mentioned in yesterday's meeting" is far more convincing than "Your account has been compromised, click here to verify."
Spear phishing is the preferred initial access method for advanced persistent threat (APT) groups and sophisticated ransomware operators because the targeted nature dramatically increases the success rate. A well-crafted spear phishing email against a researched target can achieve click rates above 30%.
Business Email Compromise (BEC). A specialized phishing variant where the attacker impersonates (or compromises) a business email account to request fraudulent wire transfers, invoice payments, or sensitive information. BEC does not always require malware or credential theft. Sometimes the attacker compromises a real email account and uses it to send legitimate-looking requests to finance departments, vendors, or executives. BEC caused over $2.9 billion in reported losses in 2023 according to the FBI's Internet Crime Complaint Center (IC3).
Whaling. Spear phishing targeted at senior executives (the "big fish"). Whaling emails impersonate board members, legal counsel, regulators, or other high-authority figures. The urgency and authority inherent in executive communication make whaling particularly effective: a CFO receiving what appears to be an urgent request from the CEO is conditioned to act quickly.
Smishing and vishing. Phishing via SMS (smishing) and voice calls (vishing). Smishing typically delivers malicious links via text message, often impersonating delivery services, banks, or government agencies. Vishing uses phone calls where the attacker impersonates IT support, a bank representative, or law enforcement. These vectors bypass email security controls entirely and reach the victim through channels they often trust more than email.
Adversary-in-the-middle (AiTM) phishing. A sophisticated technique where the phishing site acts as a real-time proxy between the victim and the legitimate login page. The victim enters their credentials and MFA token on the phishing site. The phishing site relays them to the real site, captures the authenticated session token, and provides it to the attacker. AiTM phishing defeats all MFA methods except phishing-resistant MFA (FIDO2/WebAuthn), which cryptographically binds the authentication to the legitimate domain and cannot be proxied.
AiTM phishing represents the current state of the art. Toolkits like Evilginx2 and Modlishka make AiTM phishing accessible to attackers with moderate technical skill. Organizations that deploy SMS-based or push-notification-based MFA and consider themselves protected should understand that AiTM phishing can bypass those methods. Only FIDO2/WebAuthn is resistant.
The phishing email is the door. What happens after the victim clicks determines the impact.
Credential harvesting. The victim enters credentials on a fake login page. The attacker uses those credentials to access the victim's email, cloud services, VPN, or internal applications. If the credentials have MFA, the attacker may use AiTM techniques or MFA fatigue (sending repeated push notifications until the victim approves one) to bypass it.
Malware delivery. The victim opens an attachment (macro-enabled Office document, PDF with embedded link, HTML smuggling, ISO/IMG disk image) that executes malware on the endpoint. The malware establishes persistence and begins reconnaissance, lateral movement, and data staging. This is the initial access phase of ransomware attacks.
Direct action. In BEC scenarios, the victim performs the requested action (wire transfer, invoice payment, data disclosure) without malware being involved. The damage is financial and immediate.
Phishing is not a problem that is getting solved. It is a problem that is evolving. Email filtering and security awareness training have raised the bar, but attackers adapt: they use legitimate cloud services (Google Docs, SharePoint, Dropbox) to host phishing content, bypassing URL reputation filters. They use QR codes in emails (quishing) to redirect victims to phishing sites via their phones, bypassing corporate email security entirely. They use AI to generate more convincing phishing content at scale.
The underlying dynamic is asymmetric. Defenders must stop 100% of phishing attempts. The attacker needs one success. This asymmetry means that phishing defense cannot rely on a single control. It requires layered defense across multiple PDM domains.
Phishing is rarely the end objective. It is the beginning. A compromised credential from phishing enables VPN access, which enables internal reconnaissance, which enables privilege escalation, which enables data exfiltration or ransomware deployment. Most ransomware incidents, most BEC losses, and most data breaches begin with a phishing email that a human chose to trust.
Defending against phishing is defending against the entire attack chain that follows. Every minute of delay between the phishing click and the detection of compromise reduces the blast radius of the incident.
Phishing is a human problem, not a technology problem. Technical controls (email filtering, URL sandboxing, attachment detonation) reduce the volume of phishing that reaches inboxes. They do not reduce the volume to zero. The emails that pass technical controls are, by definition, the most sophisticated ones: the ones that bypassed every filter. The last line of defense is the human who reads the email and decides whether to click, open, or respond.
This is why security awareness training (SPH-B03) and social engineering campaigns (SPH-D02) are critical SPH missions. Training builds the recognition patterns that help users identify phishing attempts. Testing validates whether the training works. Together, they reduce the click rate from baseline (typically 15% to 30% in untrained organizations) to target (under 5% in mature programs).
Phishing is a cross-domain threat in the PDM. The attack originates in TID (it is a threat that must be detected), targets IAT (it seeks to compromise identity and credentials), and is defended through SPH (email security controls and user training). The consequences cascade into DPS (data at risk), VSD (the compromised credential reveals new attack surface), and RGA (regulatory notification if a breach results).
CDA's layered defense against phishing operates across four domains:
TID (detection). Email security platforms (secure email gateways, cloud-native email security) filter the majority of phishing before it reaches the inbox. URL sandboxing detonates suspicious links in isolated environments. Attachment analysis examines files for malicious content. These are TID's front-line atmospheric filters: the coral reefs that break up the wave before it reaches shore.
CDA's PDI (Predictive Defense Intelligence) methodology applies to phishing through threat intelligence: which phishing campaigns are currently targeting the client's industry? Which phishing kits are being used? What domains have been registered that impersonate the client's brand? Anticipatory defense means deploying detection rules for the phishing campaign before it reaches the inbox.
IAT (credential protection). Phishing-resistant MFA (FIDO2/WebAuthn) is the single most effective technical control against credential phishing. Even if the user enters their password on a phishing site, the hardware authentication key does not authenticate because the phishing domain does not match the legitimate domain's cryptographic binding. IAT-B03 (MFA Hardening, 24 hours) deploys phishing-resistant MFA. This mission alone addresses the most common successful phishing outcome: credential compromise.
SPH (human defense). Security awareness training (SPH-B03, 24 hours) builds the user's ability to recognize phishing attempts. Social engineering campaigns (SPH-D02, 16 hours) test the effectiveness of that training with realistic simulated phishing. The combination of training and testing produces measurable reduction in click rates over time.
SPH also covers the email infrastructure hygiene that reduces phishing deliverability: DMARC, DKIM, and SPF configuration that prevents attackers from spoofing the organization's own domain. An organization with a properly configured DMARC policy at "reject" enforcement prevents its domain from being used in phishing campaigns against its own employees, customers, and partners.
RGA (governance). If phishing results in a breach, RGA manages the regulatory and legal response: breach notification, insurance claims, and board communication. RGA also governs the policy framework that mandates the technical controls: the policy requiring phishing-resistant MFA, the policy requiring security awareness training, and the policy defining acceptable email security standards.
Four TOP missions connect directly to phishing defense:
Word count: 2,102
CDA Theater missions that address topics covered in this article.
Written by Evan Morgan
Found an issue? Help improve this article.