<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1703665079923990&amp;ev=PageView&amp;noscript=1">

Phishing and Command & Control: How cyber attackers use emails to gain control

Phishing and Command & Control: How cyber attackers use emails to gain control

Posted by TEAM ASCEND on 10/3/19 8:00 AM

<< Back to Blog

One of the easiest ways for cyber criminals to begin an attack is through a malicious email. Here’s a look at how they do it.

Phishing emails are one of the easiest attack vectors for both amateur and experienced cyber criminals. Not only is a phishing attack relatively simple for an attacker to execute, it’s also guaranteed to produce success. In recent years, 91% of breaches began via a malicious email, so it’s no question why criminals are actively using phishing scams and emails in their arsenal of hacking tools. In fact, last year saw a 40.9% increase in phishing emails.

Learn more about how to identify phishing emails.


How does Phishing work?

Phishing takes advantage of one of the biggest vulnerabilities in every organization: human error. It’s a social-engineering tactic that relies on the human tendency to believe what we see or what we read and takes advantage of users who let their guard down.

The end goal of a phishing attack can vary. Here are some of the most common types of phishing attacks:

  • Credential Harvesting

This type of phishing attack has grown in popularity in recent years as attackers move toward more advanced phishing email and site designs

By spoofing or replicating a legitimate brand email and login page, cybercriminals can trick users to attempt to “log in” to an account, allowing criminals to collect real account credentials with ease. Some of the most common brand names that are falsified for credential harvesting include Microsoft Office 365, Facebook, and Netflix. Banking and financial scams are also widespread and commonly used to impersonate a variety of top banks and credit companies like Bank of America, Discover, and Paypal.

Credential harvesting phishing attacks made up 65% of documented phishing emails in 2018.


  • Transfer of Funds

Some cyber criminals prefer to skip the data collection and go for the gold: obtaining payment directly from their victims. Some Business Email Compromise (BEC) and Spear Phishing tactics include impersonating a friend, coworker, acquaintance, or executive and requesting a direct transfer of funds. You’ve probably heard of the infamous gift card scams, but some attackers will even go as far as requesting wire transfer of funds.


  • Malware Delivery

With the increasing success rate of malware-less phishing attacks, the percentage of phishing emails that include malware or a malicious link have decreased significantly. Still, the chance of being hit by a malware-based phishing attack has not been eliminated.

The traditional “click this link” or “open this file” style of phishing email is still in use and can still hit your inbox when you least expect it.


  • Entry Point for Larger-Scale Attack

Using one, or a combination, of the previous attack methods, cyber criminals can use phishing as an entry-point to launch a more advanced attack.

For example, an attacker can deliver malware in a phishing email that will run code on the user’s system that gives the attacker access directly to the computer. From there, the hacking possibilities are endless. One common example of this is a Command & Control (C2) attack.


How does Command & Control work?

A Command & Control (C2) attack uses malicious code to gain remote access—or control—over a computer. This utilizes a C2 server controlled by the attacker to send commands and receive stolen data from compromised machines.

Phishing Attack Game Plan

Once an attacker has identified a target, they  can use the Command & Control method to gain access and begin their attack. As described above, a phishing email is one easy way for cyber criminals to make the initial connection between the C2 server and the victim’s machine.

Often times, attackers will combine the C2 method with other hacking resources like LOLBins to bypass security defenses and ensure the success of their attack.


Once the C2 server and victim’s machine are connected, the attacker can expand their access within the network, escalate privileges, move laterally, exfiltrate data, and otherwise cause damage to an individual or organization.


The attack in action

In the short video below, Security Engineer Derrick walks through a demonstration of how a phishing email can easily lead to a C2 attack.


Cybersecurity Game Plan


When a malicious C2 connection has been established in your network, fight back with strong detection and response.

With an Endpoint Detection & Response (EDR) solution managed by security experts, suspicious activity alerts can be triggered and investigated as the attack takes place. Even if an attacker disguises their malicious code behind legitimate processes in the operating system, their movement on the machine can be tracked, analyzed, and identified with an intelligent EDR solution that uses behavioral analysis and threat hunting.

In addition, traditional SIEM (security information and event management) solutions can be configured, managed, and monitored by security professionals to track an attacker’s activities beyond the endpoint. In a C2 attack situation, alerts could notify of the attacker’s presence via the initial malware download from the user’s email, the server connection across the firewall, the use of powershell to execute malicious code, and any activities taken by the attacker after the fact.

Having strategic detection solutions in your network allows you to shut down an attack in progress quickly, revoke attacker access, and move into remediation before major damage is done.



What if you could prevent the attack from happening in the first place?

Starting at one of the outermost security layers, prevention of successful phishing attacks begins with strong email security. Blocking the majority of file- and link-based phishing emails is easy with email security added to your organization’s email platform. Many email platforms come with some degree of built-in security features, but nearly 1/3 of malicious emails bypass most platforms’ default security measures.

Read more about our Email Security solution that keeps spam and scams out of your inboxes using a combination of sandboxing and intelligent filtering: Managed Email Security Service.

If your email security doesn’t block something, the attack should stop next at the user-level. The easiest way to ensure this layer of security is working as it should is to train users to identify, report, and avoid potentially malicious emails. Every person in an organization—from the secretaries to the CEO—is responsible for their own security, and therefore, for the organization’s security as a whole. Every user should be able to identify the signs of a phishing email and know when not to click.

Finally, if a phishing email makes it past the previous layers of defense, and a malicious link or file tries to execute on a machine, it can be stopped with an advanced anti-virus like our Malware Prevention. A solution that is not only effective against advanced malware, but can also identify and block malicious activities using script control and memory protection is key to stopping an attack before it’s too late.  

Tune in to our Cyberattack Series to learn about more of the top attacks and techniques used by your cyber adversaries.

New call-to-action


<< Back to Blog

Posted in Phishing and Security Awareness, Endpoint Security, Detection & Response, SOC-as-a-Service, Cyberattack Series