October 24, 2022 by Jack Miller

Behind the Scenes of a Phishing Attack

Like Like Views 4584 [analytify-stats metrics="ga:pageviews" permission_view=""]

Industries: 9-1-1 & Law Enforcement Education Energy Industries Federal Fire & EMS Hospitality Manufacturing Transportation & Logistics

Topics: Cybersecurity

As we wrap up National Cybersecurity Awareness Month, you’ll no doubt read many blogs about how to spot a phishing attack. Cyber criminals commonly use such attacks as the first step in compromising unsuspecting victims by sending them a malicious link via a text message or email messages. 

But beyond being able to recognize a suspicious email or message, have you ever wondered what really happens behind the scenes if you click on a link? Can a phishing scam give attackers immediate access to all your deepest secrets and personal data? Can they take control of your webcam and secretly video you singing to your cat so they can blackmail you? Or is it the beginning of something worse?

In this blog, we’ll explore what actually happens when you click a malicious link, and why security experts always stress the dangers of phishing emails and messages that may bypass spam filters or anti-malware software on your devices. To better understand what’s at stake, let’s take a closer look at a few ways that phishing attacks in a work environment can cause major financial losses and damage to your organization’s reputation. 

Malicious Attachments: From Bad Download to Data Loss

First off, let’s start by clarifying that while clicking a phishing link or downloading an attachment might not give attackers immediate access to your organization’s entire network, it’s still the beginning of something dangerous. Although clicking that link or downloading that file can cause problems in and of itself, it’s more than likely just the first stage in a larger attack. Movies and television shows often depict a network or system being hacked with a single action, but that’s rarely the case.

Since many types of cyber attacks start with a phishing email, aka a phish, it would take a much longer blog to cover them all, but let’s walk through one potential scenario. Imagine that multiple people in your organization get an email from someone claiming to be a fellow colleague. The person who sent the email (who’s actually a scammer pretending to be your office mate) asks you to review an attachment and get back to them as soon as you can, as it’s very urgent (note, a sense of urgency is often a tell-tale sign of a phish).  

This is the attacker’s first step in attempting to get initial access to your network. Let’s say one of the recipients opens the attachment to take a look because they want to help out a fellow coworker (who can blame them?). Unfortunately, once they’ve opened the attachment, it quickly runs a macro script on their device. A macro is commonly found in Microsoft Excel or Word, and it can be a helpful tool to automate a set of commands. In this instance, however, it’s a malicious macro that opens up sensitive data to cyber attackers.

Let’s pause there: what does this stage look like? If you were the employee who clicked the attachment, would you see code suddenly flash on your screen? Would it be clear that something has happened? Not necessarily. If a sophisticated attacker were behind the attack, you’d never know something was wrong. In fact, it’s likely that the document they sent you could appear to be legitimate, and you wouldn’t think anything of it. 

If the attacker isn’t that sophisticated, you might briefly see a PowerShell or Command Prompt window appear and close before you can make out what happened. (Note, if you do ever DO see code or unexpected windows suddenly appear and disappear after opening an attachment, contact your IT department immediately for help.) For this scenario, however, let’s assume that nothing odd popped up onscreen when the employee opened it, so they didn’t suspect anything was wrong. 

In this fictitious but all too frequent example, the attacker’s macro is sophisticated enough that it runs code in the background to download a RAT, or Remote Access Trojan. A RAT is software that forms a backdoor connection between whatever device it’s installed on and wherever the attacker wants it to connect, which is typically a computer or a server they control. 

This stage allows the attacker to establish and maintain a foothold, also referred to as persistence. Once the attacker has established a foothold, they can carry out their attack over days, weeks or months, until it’s discovered and ultimately removed. In some instances, organizations never realize they’ve been compromised until they’re alerted by a “downstream” victim or outside agency. 

Exploiting Weaknesses to Gather Credentials

What’s next for the attacker? Getting control of a user account, and using that to get access to your company network. If an attacker gains access to your computer through a macro that downloads a RAT, they won’t have access to your login credentials and won’t be able to get to any sensitive information without triggering your security controls (like antivirus software or endpoint detection and response) — or at least not immediately. 

Despite not having access to your login credentials yet, the attacker is still able to use the RAT to execute code on your computer that will allow them to snoop through your hard drive. In this scenario, the attacker is going to look at the software on your computer and see if there are any vulnerabilities or weaknesses they can exploit. 

Let’s say they find a vulnerability that allows them to gather your login credentials, or perhaps you keep that information on a virtual sticky note that’s easy to find on your desktop. After they have your account credentials, privilege escalation is going to be their main focus.

Escalating Privileges: Vertical and Horizontal Movement 

So, what is privilege escalation and how will they use it? Privilege escalation has two parts, vertical and horizontal. Both aren’t always necessary, though, depending on the attack. Horizontal movement is when the attacker tries to gain control of other accounts with similar access (think regular user to regular user). With each new account they access, they’re able to learn more about the network they’ve hacked into and where to go to find what they want. 

Vertical privilege escalation is taking over an account that has a higher amount of privileges, such as going from a regular user account to an admin or system account, or raising the privileges of an account they already control to be able to do things they couldn’t do otherwise with it. 

In this scenario, the attacker doesn’t know enough about your organization’s environment to know where to find the data they want, so they’ll focus on getting control of more people’s accounts. They may attack any low level accounts (i.e., those with fewer permissions) directly with brute force password attacks, or they may try to find vulnerable connections on the company network that they can use to snoop for another person’s credentials. Either method (and several others) enables them to gain control over another account. The attacker can then search through everything each account has access to until they find information that has potential value. 

After they find what they’re looking for, if they don’t already have access to it, they’ll use vertical privilege escalation to get access to the data. Again, the methods for vertical privilege escalation vary, but can range from looking for software vulnerabilities to “snooping traffic.” 

Snooping traffic describes the process of using software that specifically enables someone to look at a connection between two computers or a computer and a server to see what data is being transferred. For example, if an attacker is snooping the traffic while someone logs onto a website, they might be able to see the user’s logon credentials as a hash (an unintelligible series of numbers and letters) or, worst case, in cleartext (an easily readable, unencrypted format).

Data Exfiltration: Stealthy Information Stealing  

The final stage for this phishing email attack is now at hand. Assuming they’ve made it this far without being noticed or stopped, they are now able to freely access your organization’s confidential data. 

The next step is Data Exfiltration. The most common method of stealing data is to download or extract as much information as possible from wherever it’s stored, then encrypt it and compress it to avoid detection from your organization’s security controls. Once it’s properly packaged and disguised, the hacker can use their RAT to send the data to a machine outside of your organization. 

Data exfiltration is the primary goal of most attacks. However, if the attacker successfully gets  the data they want, there’s nothing stopping them from continuing the attack. In this scenario, the attacker may have only been focused on PII, or personal information, of customers, or in the case of law enforcement, for example, names of informants. But now that they’ve gotten that data, they can continue to look for other information that could be of interest or value, such as employee records with Social Security numbers, account numbers, confidential product information, evidence tied to criminal cases or company trade secrets such as secret formulas. 

Regardless of whether the attacker leaves and comes back, or remains for a period of time, the initial data breach and exfiltration can quickly turn into a crisis. It can cost millions of dollars in remediation and response efforts, and ruin a company’s finances or damage an agency’s standing in the community. If personal details of law enforcement officers or informants are stolen, it can put them or their families at risk of physical harm.

An Ounce of Prevention

Let’s quickly recap what happened in the scenario we just described. This attack began with a phishing email that appeared to contain a legitimate document, but was, in fact, a malicious attachment. When an employee opened it, the attachment executed a malicious macro to download a RAT without the user’s knowledge. Then, using this RAT, the attacker established a foothold in the organization’s network and was able to exploit vulnerabilities to gain access to user accounts. From there, the attacker was able to find data to steal. They then camouflaged that data, so to speak, and used the RAT to send it outside of the network to a computer or location they controlled. 

This scenario is relatively simple, but it can be disastrous, and cyber criminals are continually launching similar attacks. The good news is that nearly all of them can be prevented (except for zero day attacks, which are trickier, but we’ll leave those for another blog). 

There was a crucial step where employee intervention — reporting the initial phishing email — could have played a major role in prevention. If the employee who received that email with what looked like a legitimate document had taken a moment to question who the sender was or had inspected their email address, they would’ve noticed something was wrong. Training employees to never open an attachment or click a link from someone if they aren’t expecting it, or if it looks at all suspicious, could have prevented the attack. 

Additionally, this scenario didn’t take into consideration the critical role of security controls and 24/7 monitoring. The importance of keeping software patches up to date can’t be understated either. For example, Microsoft has a patch that came out years ago that changes Excel and Word default settings to disable macros unless someone specifically enables them. That being said, the attackers behind this phishing attack could have gotten lucky or have targeted people in the organization who would have macros set to run in applications as part of their job function. 

The anti-virus software and logging and monitoring techniques your organization uses should also have noticed something was wrong with these accounts. Your organization’s IT and security team should have technology and processes in place to make sure that all network connections are locked down and only send data securely, making it much harder for attackers to snoop through the network.


We hope this blog sheds light on what happens behind the scenes when someone clicks a bad link, and that it gives you a better understanding of how an attacker can penetrate your network and move around within it once they get access. 

Cyber attackers’ tools and techniques are constantly evolving along with technology, so it’s a constant fight to defend against them. As National Cybersecurity Awareness Month reminds us, everyone has a role to play in staying safe online. You can do your part through regular security awareness training, learning how to avoid falling victim to a phishing email and reporting any potential phish you see to your organization’s IT department or security team.

Contact us or visit our online Cybersecurity Resource Center to learn more about our services to protect your organization. 

Contact us to find out more about our solutions and services.

Contact Us

Leave a Comment