Tips and Tricks

  • Send password protected documents.

  • Send links instead of attachments, S3 buckets and Azure blobs are a good choice.

  • Avoid built-in document viewers.

  • Unleash your inner sociopath, provide compliments and play with their emotions.

  • Assume worst case scenario.

  • Start a conversation with the victim before ending your malicious document.

  • Leverage current events for a good pretext.

  • clone internal email signatures and spoof phone numbers, following the standard email template for a company can really lure people in.

  • Make your document phone back home whenever opened to have a better sense of idea of what went wrong if you encounter some failure.

PreviousInitial AccessNextTools

Last updated