Phishing remains the single most common entry point for data breaches worldwide. According to the Verizon Data Breach Investigations Report, more than 70 percent of breaches involving a human element trace back to social engineering, and phishing sits at the centre of that category. Understanding exactly how phishing works, what it looks like at a technical level, and how to build layered defences against it is no longer optional for security practitioners or security-aware individuals. This post breaks all of that down with technical depth.
Phishing is a social engineering attack in which a threat actor impersonates a trusted entity to deceive a target into disclosing credentials, downloading malware, transferring funds, or taking any other action that serves the attacker's goals. The word is a deliberate misspelling of "fishing," reflecting the idea of casting a lure and waiting for victims to bite.
The defining characteristic of phishing is deception through impersonation. The attacker does not need to exploit a software vulnerability. They exploit human psychology: trust, urgency, fear, authority, and curiosity. That psychological angle is precisely what makes phishing so effective and so persistent.
Every phishing attempt, regardless of its sophistication, follows a recognisable structure:
Understanding the variants helps defenders prioritise controls and helps practitioners at Redfox Cybersecurity Academy build realistic simulation scenarios.
Spear phishing is a targeted attack aimed at a specific individual or organisation. The attacker invests time in research to personalise the lure. A spear phishing email might reference the recipient's manager by name, mention a real project, or use the company's actual email signature format. Detection requires scrutiny beyond surface-level inspection because the email may appear entirely legitimate at first glance.
Whaling is spear phishing directed at senior executives. The pretext typically involves legal action, regulatory filings, wire transfers, or board-level communications. Because executives often have elevated access and the authority to approve financial transactions, a successful whaling attack can cause immediate and severe financial damage.
Smishing delivers phishing lures over SMS. Vishing uses voice calls. Both exploit the lower security awareness that exists outside of email. SMS messages lack the technical indicators defenders have trained users to spot in email, and voice calls add a real-time social pressure component that is difficult to resist.
BEC is arguably the most financially destructive phishing variant. The attacker either compromises a legitimate business email account or spoofs it convincingly to redirect payments, modify payroll details, or request urgent wire transfers. The FBI's Internet Crime Complaint Center reports BEC losses consistently in the billions of dollars annually.
AiTM phishing is a modern, technically advanced variant that bypasses multi-factor authentication. The attacker operates a reverse proxy between the victim and the legitimate site. The victim authenticates normally, the attacker captures the session cookie in real time, and MFA is completely circumvented. Tools used in red team assessments of AiTM resistance include Evilginx and Modlishka.
Recognising phishing requires both human awareness and technical analysis skills. Here is what to examine.
Email headers reveal the true origin of a message. When analysing a suspicious email, export the raw headers and examine the following fields.
Return-Path: <noreply@micros0ft-support.com>
Received: from mail.micros0ft-support.com (203.0.113.42)
Authentication-Results: spf=fail; dkim=none; dmarc=fail
X-Originating-IP: 203.0.113.42
[cta]
The Authentication-Results field is critical. An spf=fail result means the sending server is not authorised to send on behalf of the claimed domain. A dmarc=fail result means the message has failed the domain owner's own published policy. Legitimate communications from major services will almost never fail DMARC.
To analyse headers efficiently, use the mha (Message Header Analyser) tool or Google Admin Toolbox, or parse them manually with Python:
import email
import sys
def parse_headers(raw_email_path):
with open(raw_email_path, 'r') as f:
msg = email.message_from_file(f)
fields_of_interest = [
'From', 'Reply-To', 'Return-Path',
'Received', 'Authentication-Results',
'X-Originating-IP', 'DKIM-Signature'
]
for field in fields_of_interest:
values = msg.get_all(field)
if values:
for v in values:
print(f"[{field}]\n{v}\n")
if __name__ == "__main__":
parse_headers(sys.argv[1])
[cta]
Phishing links are crafted to look convincing. Common techniques include homograph attacks using Unicode characters, subdomain abuse, and long URLs designed to hide the actual domain in the path.
Run URLs through passive analysis before any interaction:
# Extract and decode URLs from a raw email body
grep -oP 'https?://[^\s"<>]+' suspicious_email.txt | while read url; do
decoded=$(python3 -c "import urllib.parse; print(urllib.parse.unquote('$url'))")
echo "Original : $url"
echo "Decoded : $decoded"
echo "---"
done
[cta]
Then use curl with no redirect following to inspect the server response without loading content:
curl -I --max-redirs 0 -L "https://suspicious-link.example.com/login"
[cta]
Pay close attention to the Location header in redirect chains. Multiple redirects through different domains, especially URL shorteners followed by look-alike domains, are a strong indicator of a phishing infrastructure chain.
Malicious attachments in phishing emails commonly take the form of Office documents with embedded macros, PDFs exploiting reader vulnerabilities, or archives containing executables. Never open suspicious attachments on a production system. Use a sandboxed analysis environment.
For static analysis of Office documents, oletools is the industry-standard toolkit:
pip install oletools
# Check for VBA macros in a suspicious Word document
olevba suspicious_invoice.docm
# Check for executable content, URLs, and suspicious patterns
mraptor suspicious_invoice.docm
[cta]
For a deeper automated analysis, submit to a sandbox platform such as Any.run, Hatching Triage, or Joe Sandbox and examine the behavioural report. Look for process injection, network callbacks to C2 infrastructure, and credential access API calls in the report.
Technical indicators are not always present or accessible to end users. Training yourself and your team to spot psychological manipulation is equally important. Phishing lures consistently exploit:
When any of these triggers appear, slow down. Contact the apparent sender through a known, independent channel before taking any action.
Recognising phishing is necessary but not sufficient. The following technical controls provide layered defence. If you want to understand how to implement and test these controls at a professional level, the training programmes at Redfox Cybersecurity Academy cover email security architecture in hands-on lab environments.
These three DNS-based controls work together to authenticate email and prevent spoofing.
SPF specifies which servers are authorised to send email for your domain:
example.com. IN TXT "v=spf1 include:_spf.google.com include:sendgrid.net -all"
[cta]
The -all qualifier is critical. A ~all (softfail) or ?all (neutral) qualifier provides no real protection. Use -all to instruct receiving servers to reject unauthorised senders.
DKIM adds a cryptographic signature to outgoing messages. Configure it on your mail server or email gateway and publish the public key in DNS:
selector1._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3..."
[cta]
DMARC ties SPF and DKIM together and specifies what to do with failing messages:
_dmarc.example.com. IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-failures@example.com; adkim=s; aspf=s; pct=100"
[cta]
A p=reject policy with pct=100 tells receiving servers to reject all messages that fail DMARC alignment. Start at p=none with aggregate reporting enabled, analyse the reports for 4 to 6 weeks, then move to p=quarantine and finally p=reject.
Native spam filters in most mail platforms are insufficient against targeted phishing. Deploy a dedicated email security gateway with the following capabilities:
Commercial options include Proofpoint Threat Protection, Mimecast, and Abnormal Security. For open source stacks, rspamd provides a capable, extensible filtering framework:
# Check rspamd's score and symbols for a raw email
rspamc < suspicious_email.eml
[cta]
Standard TOTP-based MFA (authenticator app codes) is not resistant to AiTM phishing because the attacker's reverse proxy can relay the OTP in real time. Phishing-resistant MFA options include:
Enforce conditional access policies that require phishing-resistant MFA for privileged accounts, remote access, and any access to sensitive data stores.
Phishing infrastructure relies on newly registered domains and known malicious nameservers. DNS-based filtering stops communication before it begins.
Using a protective DNS resolver at the organisation level:
# Test whether a suspicious domain is blocked by your DNS resolver
dig @9.9.9.9 phishing-infrastructure-test.example.com A
# Query threat intelligence for domain reputation
curl -s "https://urlhaus-api.abuse.ch/v1/host/" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "host=suspicious-domain.com" | python3 -m json.tool
[cta]
Services such as Cloudflare Gateway, Cisco Umbrella, and CISA's Protective DNS programme for eligible organisations can block phishing domains at the DNS resolution layer.
Technical controls must be validated and users must be tested. Regular phishing simulations measure real-world susceptibility, identify high-risk individuals, and create opportunities for targeted remediation training.
Use the GoPhish framework to run controlled simulations:
# Clone and build GoPhish
git clone https://github.com/gophish/gophish.git
cd gophish
go build .
# Start GoPhish (admin panel on 3333, listener on 80 by default)
./gophish
[cta]
Design simulation campaigns that mirror real-world lures. Include credential harvesting pages, attachment-based lures, and BEC-style pretexts. Track click rates, credential submission rates, and report rates. Any user who submits credentials in a simulation should be enrolled in mandatory, contextual security awareness training before the next campaign cycle.
If you receive a suspected phishing email, follow this process:
Security practitioners who want to build and lead incident response processes around phishing events will find the courses at Redfox Cybersecurity Academy directly applicable to enterprise defence workflows.
Phishing attacks succeed because they exploit human psychology and, increasingly, because modern variants like AiTM campaigns defeat controls that defenders previously considered sufficient. Stopping phishing requires a layered approach: authenticated email with a strict DMARC policy, advanced email security gateways, phishing-resistant MFA, DNS threat intelligence filtering, and a workforce trained through realistic simulation.
No single control stops every phishing attempt. The organisations that fare best are those that treat phishing defence as a continuous programme rather than a one-time deployment. They measure susceptibility, iterate on controls, and invest in technical education so that defenders understand what they are defending against at the protocol and payload level.
If you are building or improving your phishing defence capability, or if you are preparing for a career in offensive or defensive security where phishing simulation and email security architecture are core competencies, explore the curriculum at Redfox Cybersecurity Academy.
Redfox Cyber Security Inc.
8 The Green, Ste. A, Dover,
Delaware 19901,
United States.
.avif)
