Last updated at Fri, 07 Feb 2025 21:44:18 GMT

Gone Phishing with Vector Command

During one of our customer engagements, our red team will continuously attack your network to see if we can exploit a vulnerability. One of the tactics, techniques and procedures (TTPs) we use is “Opportunistic Phishing”. First, let’s share a quick reminder about what Vector Command is.

Vector Command is Rapid7’s new continuous red teaming managed service, designed to  assess your external attack surface and identify gaps in the security defenses on an ongoing basis. Vector Command continues the expansion of our Exposure Management solutions for our customers. While external attack surface management (EASM) tools offer visibility, they often fall short in validation, generating lengthy lists of potential exposures for security teams to sift through. Traditional penetration testing can help validate vulnerabilities, but its point-in-time nature risks leaving critical exposures undetected for extended periods. With Vector Command, our red team will continuously look for exploitable vulnerabilities.

Rapid7’s Vector Command Landing page

Hacking the Human

Social engineering attacks are based on the exploitation of someone’s personality and can be referred to as “hacking the human”.

Security professionals often comment how the employee can often be the weakest link in a company’s security posture. From end-of-day tiredness, to our more relaxed nature during a quick lunch break and even our predisposed trusting tendencies towards those causes we care deeply about, can be exploited by threat actors. This is the “social” aspect in “Social Engineering”. Humans can be manipulated into making mistakes through psychological means and giving our login credentials away or other sensitive information.

Opportunistic Phishing - The Human Touch

Opportunistic Phishing, also known as “untargeted attacks” may have no warning signs and is often deployed spontaneously, without a specific target. Rapid7’s red team will use this technique to see what information they can get from a customer engagement.

Let’s take the hypothetical example of a former IT contractor who was employed by a company. The off-boarding policy has not yet been completed. The IT contractor had elevated access to one business application containing personally identifiable information (PII). Our red team, once they identify this former contracted employee, could use their access rights to gain entry to sensitive PII and services on the corporate network.

When an opportunistic attempt is executed by a threat actor, it is most commonly conducted via malware or phishing over email.

In this specific technique, an attacker will send out fraudulent messages, taking care to design the emails to look like the actual organization, often using similar logos, fonts, and signatures. Inside the body of the message will be a URL, typically with a misspelled domain name or extra subdomain. If the recipient is not savvy enough to recognise the fake web address from the real one and clicks on the link, this is when the malware is activated as an executable file and downloaded to the device. The payload often  includes keylogging software, used to collect keystrokes, including your passwords, which now gives the threat actor access to your company network.

By deploying this tactic, Rapid7’s red team, think, act and behave like a threat actor, but without the malicious consequences for your organization. Using opportunistic phishing, we will find and identify where your security gaps are, with respect to technology (through different configuration types for campaigns) and people, helping you to act and respond. Our advanced Vector Command reporting even gives a detailed outline of the situation, including remediation recommendations for your IT and Security teams.

A sample report for a Phishing campaign completed by our Vector Command red team

What should you be on the lookout for?

Let's explore some typical phishing examples that frequently target organizations.


  • Invoices for companies that you do not have a supplier agreement with.
  • Shipping notifications from large retailers, both online and the high street.
  • Password reset requests for your email, or other online account e.g. Amazon, or PayPal.
  • Tax refund emails either at the time of needing to submit your tax return (when it is time sensitive) or months away from when it needs to be completed (anomalous behavior).
  • Can you spot poor grammar, or spelling errors in the subject, or within the body of the email, that would indicate it is not from a reputable source?
  • Does the email have a sense of urgency - “Act now”?
  • Generic greetings like “Dear Customer” as opposed to a more personalized one.
  • Surveys from third-parties or workplace experience coordinators that are out-of-place.
  • Suspicious login alerts from common applications sourcing from an untrusted sender.
  • Password reset requests for your email, or other online account e.g. Amazon, or PayPal.
  • Employee benefit emails either at the time of needing to submit your elections (when it is time sensitive) or months away from when it needs to be completed (anomalous behavior).
  • Shared documents and calendar invitations from third-parties you do not commonly interact with.
  • Browser extensions, software updates, and installation requests via email or phone.
  • Verify unexpected phone calls through internal communication applications such as Teams, or Slack.

Take Command of your Attack Surface

Stay tuned as we continue to share insights of other TTPs employed by Rapid7's expert  red team to test your cyber resilience.

We have created a self-guided product tour for Vector Command which you can check out at your leisure.

Vector Command: Request Demo ▶︎

Ready to see how continuous red team managed services can ensure your potential attack pathways are remediated before they can ever be exploited?