Social Engineering

Understand your company’s readiness for social engineering attacks.

IntrusionOps' Social Engineering service can be a stand-alone service, or most commonly, paired with external and internal network penetration tests or Red Team exercises.

We offer any or all of the following social engineering services:

  • Credential harvesting phish. We impersonate some brand (e.g. b2b partner, SaaS, vendor, another employee), create an email template and landing page to lure staff into submitting credentials. If MFA is in place, we attempt to bypass it or (with the client’s permission), send MFA push requests to see if anyone accepts it.

  • Spear-phishing. IntrusionOps crafts a lure storyline, payload, in attempt to get remote code execution on an employee’s endpoint. This simulates one of the most common ways companies are compromised.

  • Phone-based social engineering (aka vishing). We devise a storyline and call staff impersonating a trusted person, asking them to perform some agreed upon action such as resetting an employees password or installing remote control software.

  • SMS phishing (aka smishing). IntrusionOps uses VOIP service to send phishing links to staff’s mobile phones. When they visit the phishing link it prompts for some agreed upon action, such as entering credentials or authorizing an application. Smishing has been rampant at companies over the past few years with many employees receiving requests to buy gift cards for their CEO.

We go through great lengths on all of our social engineering exercises and try to undermine most security awareness training to more closely simulate targeted attacks. We use phishing domains with good reputations, use valid TLS certificates, make sure that our IP ranges are not flagged by security vendors, and ensure deliverability of our emails (via valid DKIM+DMARC+SPF).

We also offer atypical phishing approaches such as OAuth where we request targets authorize an application to access their mailbox rather than submitting credentials. When targeting hardened environments, we often use MiTM attacks to capture session IDs through a variety of ways, rather than attempting to login directly with phished credentials. We are very acquainted with all the major mail hosting providers defenses, and take these into consideration when developing our attacks.

Use our social engineering services to challenge your security awareness training programs and technical defenses that are in place to address these prominent attacks faced by most companies.