Phishing Types, Tactics & Techniques

Beyond "Don't Click the Link"

Every security awareness training says the same thing: "Don't click suspicious links. Don't open unexpected attachments." And every year, phishing remains the number one initial access vector. The reason is simple — phishing works not because users are careless, but because attackers are skilled at exploiting human psychology under time pressure.

As a SOC analyst, your job is not to blame the user who clicked. Your job is to classify the phishing attack, contain the damage, and extract indicators that protect the rest of the organization. To do that, you need a taxonomy — a structured way to categorize what you are looking at.

Click to enlarge

Credential Harvesting: The Fake Login Page

Credential harvesting is the most common phishing objective. The attacker's goal is to trick the user into entering their username and password on a fake login page that mimics a legitimate service.

How It Works

1. Attacker creates a clone of a login page (Microsoft 365, Google Workspace, banking portal)
2. Hosts the clone on attacker-controlled infrastructure
3. Sends an email with a pretext that motivates the user to click (expired password, shared document, account suspension)
4. User enters credentials on the fake page
5. Credentials are captured and sent to the attacker
6. User is redirected to the real login page (so they think the first attempt "failed" and log in normally)

What Makes It Effective

The redirect in step 6 is critical. The user experiences one "failed" login attempt — which happens to everyone — and then successfully logs in on the second attempt (the real site). They have no reason to suspect anything happened. Meanwhile, the attacker has valid credentials.

SOC Indicators

Malware Delivery: Weaponized Attachments

The second major phishing category aims to execute malicious code on the victim's machine. The payload can be delivered through attachments or through links that trigger downloads.

Common Delivery Mechanisms

HTML Smuggling Deep Dive

HTML smuggling deserves special attention because it bypasses most email gateways. The attachment is a plain HTML file — which email filters rarely block. When opened in a browser, embedded JavaScript assembles a malicious payload from Base64-encoded data and triggers a download. The payload never crosses the email gateway as a binary — it is constructed locally on the victim's machine.

<!-- Simplified HTML smuggling concept -->
<script>
var payload = atob("TVqQAAMAAAAEAAAA//8AALgAAAA...");
var blob = new Blob([payload], {type: "application/octet-stream"});
var link = document.createElement("a");
link.href = URL.createObjectURL(blob);
link.download = "Invoice_Feb2026.exe";
link.click();
</script>

BEC: Business Email Compromise

BEC attacks do not use malware or fake login pages. Instead, they rely purely on social engineering to trick employees into performing an action — usually transferring money or sharing sensitive data.

BEC Subtypes

Why BEC Is Uniquely Dangerous

BEC accounts for the highest dollar losses of any cybercrime category. The FBI IC3 reported $2.9 billion in BEC losses in 2023 — more than ransomware, more than data breaches. The reason:

1. No technical indicators: No malware, no malicious URLs, no attachments. The email is pure text.
2. Passes authentication: If the attacker compromises a real mailbox, SPF/DKIM/DMARC all pass.
3. Exploits business processes: The request (wire transfer, invoice payment) is a normal business activity.
4. Urgency and authority: "I need this done before the board meeting at 3pm. Keep this confidential."

Spear Phishing vs Spray Phishing

Not all phishing is created equal. The effort level and targeting determine how the attack should be classified and how urgently you should respond.

Spray Phishing (Commodity)

Spear Phishing (Targeted)

Smishing and Vishing: Beyond Email

Phishing is not limited to email. Two extensions are increasingly common in SOC reporting:

Smishing (SMS Phishing): Malicious text messages with shortened URLs. Common pretexts include package delivery notifications, bank account alerts, and MFA verification codes. Smishing exploits the trust users place in SMS (higher open rate than email) and the difficulty of inspecting URLs on mobile devices.

Vishing (Voice Phishing): Phone calls impersonating IT support, bank representatives, or government agencies. Attackers use caller ID spoofing to display legitimate numbers. Vishing is often combined with email phishing — an email creates urgency, then the attacker calls to "help" the victim resolve the issue.

URL Analysis Techniques

URL analysis is the most immediately actionable phishing analysis skill. Every credential harvester and many malware delivery emails include a URL. Here is your systematic approach.

Click to enlarge

Typosquatting

The attacker registers a domain visually similar to a legitimate one by introducing subtle character changes:

Homoglyph Attacks

Homoglyphs are characters from different alphabets that look identical to Latin characters:

аpple.com (first character is Cyrillic а) looks identical to apple.com in most fonts but resolves to a completely different domain. Browsers have implemented IDN (Internationalized Domain Name) protections, but they are not universal.

Punycode Encoding

Internationalized domain names are encoded in ASCII using punycode (prefix xn--). An attacker can register a domain that displays as a familiar name but has a different punycode representation:

Display:  аpple.com (Cyrillic а)
Punycode: xn--pple-43d.com

URL Shorteners

Services like bit.ly, tinyurl.com, and t.co obscure the true destination URL. Attackers use them to hide obviously malicious domains. Analysts can expand shortened URLs safely using:

curl -sI "https://bit.ly/abc123" | grep -i location

Or use online expansion tools like checkshorturl.com or unshorten.it (in a sandboxed browser).

URL Path and Parameter Tricks

Even when the domain looks legitimate, inspect the full URL:

https://login.legitimate-service.com.evil.com/auth
https://evil.com/https://www.microsoft.com/login
https://evil.com/page?redirect=https://real-site.com

The first example uses a subdomain trick — login.legitimate-service.com looks trustworthy, but the actual domain is evil.com. The second embeds a legitimate URL in the path for visual deception. The third uses a redirect parameter to show a legitimate URL in the page after credential capture.

Social Engineering Tactics

Every phishing email — whether spray or spear, credential harvest or BEC — relies on social engineering principles to override the recipient's rational judgment. Recognizing these tactics is essential for classification.

The Six Influence Principles in Phishing

Language Red Flags

Watch for these patterns in reported phishing emails:

• Threatening consequences: "Failure to verify will result in permanent account closure"
• Artificial time pressure: "You have 24 hours to respond"
• Confidentiality requests: "Do not discuss this with anyone"
• Unusual requests: First-time requests for wire transfers, gift cards, or credential verification
• Mismatched tone: Overly formal language from someone who normally communicates casually, or vice versa
• Grammar and formatting inconsistencies: Not always present in sophisticated attacks, but common in commodity phishing

Real-World Phishing Campaign Case Studies

Case 1: The Microsoft 365 Credential Harvester

Campaign characteristics:

• Subject: "Action Required: Password Expires in 24 Hours"
• Sender: no-reply@microsoft-365-security.com (look-alike domain, registered 2 days prior)
• URL: hxxps://login.microsoftonline.com.password-update[.]xyz/auth
• Tactic: Urgency (24-hour deadline) + Authority (Microsoft branding)
• Outcome: 12 employees entered credentials; attacker used them within 4 hours for mailbox access and internal BEC

SOC indicators: Recently registered domain (WHOIS), URL subdomain trick (.com.password-update.xyz), SPF/DKIM/DMARC all pass (attacker controls the sending domain), authentication-results for the look-alike domain — not microsoft.com.

Case 2: HTML Smuggling Malware Delivery

Campaign characteristics:

• Subject: "Signed Contract — DocuSign"
• Attachment: Contract_Feb2026.html (23 KB)
• The HTML file, when opened, assembled a .iso file from embedded Base64 and triggered download
• Inside the .iso: a .lnk file that executed PowerShell to download Cobalt Strike beacon
• Tactic: Authority (DocuSign branding) + Reciprocity ("signed contract you requested")

SOC indicators: HTML attachment (unusual for DocuSign — real DocuSign sends links), no malicious URLs in the email body (payload is in the attachment), sandbox analysis required to identify behavior.

Case 3: BEC Invoice Redirect

Campaign characteristics:

• Attacker compromised a vendor's real email account
• Sent email to Accounts Payable: "We've changed our banking details. Please update for next month's payment."
• Attached a PDF invoice with new (attacker-controlled) bank account details
• SPF/DKIM/DMARC all passed (sent from the real compromised account)
• No malware, no malicious URLs, no technical indicators

SOC indicators: None in email analysis alone. Detection required out-of-band verification (calling the vendor on a known phone number). Process controls (requiring verbal confirmation for banking changes) are the primary defense.

Building Your Phishing Classification Framework

When a phishing email is reported to the SOC, classify it systematically:

1. Objective: What is the attacker trying to achieve? (Credentials, malware execution, money transfer, data)
2. Targeting: Is this spray (generic) or spear (personalized to the recipient)?
3. Delivery mechanism: URL, attachment, pure social engineering, or hybrid?
4. Social engineering tactic: Which influence principles are being exploited?
5. Technical sophistication: Commodity kit (low) vs custom infrastructure (high)?
6. Authentication status: Did SPF/DKIM/DMARC pass or fail? (From Lesson PH-2)
7. Scope: Is this a single report or are multiple employees receiving the same campaign?

This classification drives your response: commodity spray phishing gets IOC extraction and filter updates; targeted spear phishing gets full investigation and potential threat hunt.

Key Takeaways

• Phishing breaks into four major categories: credential harvesting, malware delivery, BEC, and spear phishing — each requiring different analysis and response approaches
• Credential harvester kits now bypass MFA using reverse-proxy techniques (EvilGinx2) — stolen session tokens, not just passwords
• BEC produces the highest financial losses of any cybercrime category and has zero technical indicators — detection depends on behavioral analysis and process controls
• Spear phishing requires immediate escalation because targeting indicates reconnaissance against your organization
• URL analysis covers five manipulation techniques: typosquatting, homoglyphs, punycode, URL shorteners, and path/parameter tricks
• Social engineering exploits urgency, authority, scarcity, fear, social proof, and reciprocity — urgency + authority is the most dangerous combination
• Always classify phishing by objective, targeting level, delivery mechanism, social engineering tactic, and technical sophistication

What's Next

You now have a complete phishing taxonomy and the URL analysis skills to dissect suspicious links. In Lab 4.3, you will apply everything from this module — header analysis (Lesson PH-1), authentication verification (Lesson PH-2), and phishing classification (this lesson) — to triage a set of real-world phishing samples. You will classify each email by type, extract IOCs, determine the attacker's objective, and recommend response actions. This is exactly what you will do in a production SOC when the phishing report queue fills up on a Monday morning.