Search

SearchSearch

Writing Convincing Phishing Emails ๐Ÿฆซ

Nov 15, 20242 min read

We have three things to work with regarding phishing emails: the senderโ€™s email address, the subject and the content.

The Senders Address:

Ideally, the senderโ€™s address would be from a domain name that spoofs a significant brand, a known contact, or a coworker. See the Choosing A Phishing Domain task below for more information on this.

To find what brands or people a victim interacts with, you can employ OSINT (Open Source Intelligence) tactics. For example:

  • Observe their social media account for any brands or friends they talk to.
  • Searching Google for the victimโ€™s name and rough location for any reviews the victim may have left about local businesses or brands.
  • Looking at the victimโ€™s business website to find suppliers.
  • Looking at LinkedIn to find coworkers of the victim.

The Subject:

You should set the subject to something quite urgent, worrying, or piques the victimโ€™s curiosity, so they do not ignore it and act on it quickly.

Examples of this could be:

  1. Your account has been compromised.
  2. Your package has been dispatched/shipped.
  3. Staff payroll information (do not forward!)
  4. Your photos have been published.

The Content:

If impersonating a brand or supplier, it would be pertinent to research their standard email templates and branding (style, logoโ€™s images, signoffs etc.) and make your content look the same as theirs, so the victim doesnโ€™t expect anything. If impersonating a contact or coworker, it could be beneficial to contact them; first, they may have some branding in their template, have a particular email signature or even something small such as how they refer to themselves, for example, someone might have the name Dorothy and their email is dorothy@company.thm. Still, in their signature, it might say โ€œBest Regards, Dotโ€. Learning these somewhat small things can sometimes have quite dramatic psychological effects on the victim and convince them more to open and act on the email.

If youโ€™ve set up a spoof website to harvest data or distribute malware, the links to this should be disguised using the anchor text and changing it either to some text which says โ€œClick Hereโ€ or changing it to a correct looking link that reflects the business you are spoofing, for example:

<a href="http://spoofsite.thm">Click Here</a>

<a href="http://spoofsite.thm">https://onlinebank.thm</a>

Graph View

Backlinks

  • No backlinks found