Advent of Cyber DAY 12
This blog serves as a beginner-friendly guide to understanding the world of cybersecurity. From defining what cybersecurity is to exploring its two major domains—offensive and defensive security—it breaks down various career paths such as Security Analyst, Engineer, Penetration Tester, and more. Whether you're just curious or planning a career, this blog gives you the insight and direction to get started in the cybersecurity field.
🛡️ Spotting Phishing Emails: A SOC-mas Survival Guide
Introduction
Since McSkidy’s disappearance, TBFC’s defences have weakened — and now the Email Protection Platform is down.
With filters offline, employees must manually review every suspicious email, as the SOC Team suspects Malhare’s Eggsploit Bunnies are sending phishing messages across TBFC to steal credentials and disrupt SOC-mas.
You’ve joined the Incident Response Task Force to help separate legit emails from phishing attempts. But beware — some attacks are cleverly disguised as routine TBFC operations, volunteer forms, or SOC-mas logistics.
Welcome to your mission.
🎯 Learning Objectives
Identify phishing emails
Recognise trending phishing techniques
Understand the difference between spam and phishing
🔍 Spotting Phishing Emails
What Is Phishing?
Phishing remains one of the most effective cyberattacks. Even as companies strengthen security, attackers evolve to mimic real people, services, or portals.
Common goals behind phishing:
Credential theft
Malware delivery
Data exfiltration
Financial fraud
Phishing targets the one vulnerability technology can’t fix: people.
Spam vs Phishing
Not every unwanted email is dangerous.
Spam = annoying but mostly harmless marketing noise.
Phishing = targeted, deceptive, malicious intent.
Spam focuses on:
Promotions
Scams
Clickbait
Data harvesting
Phishing focuses on deception and access.
🎄 The Phishmas Takeover
Every phishing email uses at least one of these techniques:
1. Impersonation
Attackers pretend to be trusted individuals, departments, or services.
Example:
“URGENT: McSkidy VPN access for incident response” — sent from a free Gmail address pretending to be McSkidy.
Red flags: sender not matching company domain.
2. Social Engineering
Attackers manipulate emotions such as urgency, fear, helpfulness, or curiosity.
Common signals:
“Urgent”, “immediately”, pressure tactics
Discouraging you from using normal communication channels
Requesting sensitive information (like VPN credentials)
3. Typosquatting and Punycode
Attackers register deceptive domains:
Typosquatting: misspellings (e.g., glthub.com instead of github.com)
Punycode: replacing Latin letters with visually identical Unicode versions (e.g., using ƒ instead of f)
Example:
“TBFC-IT shared Christmas Laptop Upgrade Agreement with you” — sent from a punycode domain.
4. Spoofing
Attackers forge sender information to make emails look legitimate.
Check:
SPF
DKIM
DMARC
Return-Path
If they fail → spoofing detected.
Example:
“New Audio Message from McSkidy” — failed all security checks.
5. Malicious Attachments
Classic technique: malware disguised as legitimate files.
Example: Voice-message.html → could execute malicious scripts.
📈 Trending Phishing Techniques
Email platforms got stronger — so attackers evolved:
Modern phishing focuses on:
Using legitimate platforms (OneDrive, Google Docs, Dropbox)
Luring users out of the secure environment
Redirecting victims to fake login pages
Using appealing proposals (salary raise, laptop upgrade)
Legitimate Applications as Lures
Attackers send “shared documents” containing fake content.
Example:
OneDrive link claiming “Christmas Laptop Upgrade Agreement”.
Goal: steal credentials or deploy malware through a fake portal.
Fake Login Pages
Attackers mimic common login services like:
Microsoft 365
Google Workspace
Example:
microsoftonline.login444123.com/signin
Looks real — but isn’t.
Side-Channel Communication
Attackers shift conversation outside email to:
SMS
WhatsApp
Telegram
Calls
Once off-platform, company protections disappear.
🎁 Mission: Save SOC-mas
You reviewed all six suspicious emails and classified them successfully.
Here are the flags:
1️⃣ THM{yougotnumber1-keep-it-going}
2️⃣ THM{nmumber2-was-not-tha-thard!}
3️⃣ THM{Impersonation-is-areal-thing-keepIt}
4️⃣ THM{Get-back-SOC-mas!!}
5️⃣ THM{It-was-just-a-sp4m!!}
6️⃣ THM{number6-is-the-last-one!-DX!}
Mission accomplished. SOC-mas is safe!