Tips and Tricks

  • Send password protected documents.
  • Send links instead of attachments, S3 buckets and Azure blobs are a good choice.
  • Avoid built-in document viewers.
  • Unleash your inner sociopath, provide compliments and play with their emotions.
  • Assume worst case scenario.
  • Start a conversation with the victim before ending your malicious document.
  • Leverage current events for a good pretext.
  • clone internal email signatures and spoof phone numbers, following the standard email template for a company can really lure people in.
  • Make your document phone back home whenever opened to have a better sense of idea of what went wrong if you encounter some failure.