24 Dec 2025
Phishing Phishmas GreetingsAlways determine the intention. Is it malicious or marketing?
Attackers may acts as a person, department, or service to gain credibility. Examine the From: of the message for mispellings, wrong tlds, improper corporate formatting, etc.
Impersonation, sense of urgency, side channel, malicious intent.
Typosquatting is when an attacker registers a domain that looks similar to a real domain. Punycode abusing encoding system that converts Unicode characters in alphabets like Chinese, Cyrillic, and Arabic into ASCII. Attack vector is substituting latin characters with similar looking ones in other alphabets.
From: field looks correct but headers tell other story. May show SPF, DKIM, and DMARC failures, as well as incorrect return path.
Attaching files such as html posing as something else. HTA and HTML files are common because they run without browser sandboxing, giving them full access to the endpoint.
Most common push now is not malware, but getting users to leave the safety of corporate environment. Often this is done by using legitimate tools or websites to make the lure look trustworthy. That get’s them to a place where they will hand over credentials or download the malicious file themselves.
Things like Dropbox, Google Drive/Docs, and OneDrive/Sharepoint.
Doesn’t take much to create a fake Microsoft login page and gather credentials.
When an attacker moves the conversation off email to another channel like SMS, WhatsApp/Telegram, phone/video call, etc. to continue the social engineering attack on a platform that is outside corporate control.
Triage the emails between spam and phishing, identifying three clear signals.
Phishing Analysis Tools room.