• United States




Multi-stage spear phishing – bait, hook and catch

Oct 04, 20175 mins

Multiple step spear phishing is the latest iteration in social engineering from sophisticated cyber criminals.

spearfishing trap
Credit: Thinkstock

Cybercriminals have an extensive history of conducting attacks that cast a wide net hitting as many people as possible. Nearly everyone has received emails from a wealthy foreign banker, a Nigerian prince offering to pay you an exorbitant sum of money, or from a sketchy drug company offering a new drug that promises to revolutionize your love life.

However, cybercriminals are now taking an “enterprise” approach.  Similar to B2B enterprise sales, they go after a smaller number of targets, with the goal of extracting a much greater payload with highly personalized attacks. Spear phishing, highly targeted attacks that leverage impersonation of an employee or a popular web service, have been on the rise, and according to the FBI, these attacks have proven to be extremely lucrative for cybercriminals.

The latest iteration in social engineering involves multiple steps. The sophisticated cybercriminals don’t try to target company executives with a fake wire fraud out of the blue. Instead, they first infiltrate the organization, and then use reconnaissance and wait for the opportune time to trick their targets by launching an attack from a compromised mailbox.

Step 1: Infiltration

Most phishing efforts are easy for individuals that receive cyber security training (executives, IT people) to sniff out because they contain weird addresses, bold requests, or misspelled words that raise red flags. However, we are seeing a rapid increase in personalized attacks that are exceedingly difficult to spot, especially for people who lack security awareness. If you take a look at the image below, the message itself doesn’t appear to be suspicious. It seems to be coming from Microsoft to alert you that they need to reactivate your Office 365 email account.

office 365 phishing Barracuda Networks

There is one red flag, but very subtle: if you hover above the link, you will notice it does not lead to, but rather to a different website. People with high security awareness would spot this flaw. But the average employee wouldn’t.

That’s why the attackers are going after easier targets: mid level employees in sales, marketing, support, and operations. These employees don’t receive cyber security training and are more susceptible to opening these types of emails.

What happens when you take the bait?

This spear phishing attack is aimed to steal your user name and password. Once the attacker gains control of the recipient’s user name and password, if they do not have multi-factor authentication enabled (and unfortunately many organizations do not), they can log in to the account.

Step 2: Reconnaissance

The attacker will typically monitor the account and read the email traffic to learn about the organization.

They may even setup forwarding rules on the account so they do not need to frequently log in.

Learning the traffic allows the attacker to learn about the organization: who are the decision makers, who can influence financial transactions, has access to HR information and more. In addition, it allows the attacker to spy on interactions of the organization with other organizations (partners, customers, vendors).

This knowledge is then leveraged for the last step of the attack.

Step 3: Extract value

Attackers can use the information to launch a targeted spear phishing attack. For example, they can send customers fake bank account information when they are about to make a payment. Or they can trick other employees to send HR information, wire money or get them to click on links to collect additional credentials and information.

Since the email is coming from a legitimate (albeit compromised) account, the emails appear totally legitimate, and the reconnaissance allows the attacker to perfect mimic the senders’ signature and text style.

Taking action immediately (for your sake)

There are three layers that organizations should be implementing now to combat spear phishing which include; user training and awareness, multi factor authentication, real-time analytics and AI.

Targeted user training

Employees should be regularly trained and tested to increase their security awareness of various targeted attacks. Staging simulated attacks for training purposes is by far the most effective activity for prevention. As the example earlier illustrates, training should not be focused just on the executives, but rather on all employees.


Multi factor authentication is absolutely essential. In attack described above, if multi factor authentication was enabled the attacker would not have been able to gain access to the account. Multi factor can institute many different effective methods including, SMS codes or mobile calls, key fobs, biometric thumb print and even retina scans.

AI protection

Artificial Intelligence now offers some of the strongest hope of shutting down spear phishing. By learning and analyzing an organization’s unique communications patterns, an AI engine can sniff out inconsistencies and quarantine attacks in real-time. For example, AI would have been able to automatically classify the email in the first stage of the attack as spear phishing, and could even detect anomalous activity in the compromised account and prevent the second and third phases of the attack.


Asaf Cidon is Vice President, Content Security Services at Barracuda Networks. In this role, he is one of the leaders for Barracuda Sentinel, the company's AI solution for real-time spear phishing and cyber fraud defense. Barracuda Sentinel utilizes artificial intelligence to learn the unique communications patterns inside customer organizations to identify anomalies and guard against these personalized attacks.

Asaf was previously CEO and co-founder of Sookasa, a cloud storage security startup that was acquired by Barracuda. Prior to that, he completed his PhD at Stanford, where his research focused on cloud storage reliability and performance. He also worked at Google’s web search engineering team.

Asaf holds a PhD and MS in Electrical Engineering from Stanford, and BSc in Computer Engineering from the Technion.

The opinions expressed in this blog are those of Asaf Cidon, Barracuda Networks and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.