Freely subscribe to our NEWSLETTER

"When searching for that initial access phishing email opened by victim zero during the identification phase of incident response, it’s important to include internal emails in addition to external emails, as the attacker may have already compromised an employee elsewhere in an organisations network. The most common reasons attacker’s use internal phishing (or “lateral phishing”), is because they cannot move laterally due to unforeseen geographical restrictions, domain/network restrictions or even where victim zero belongs to a third-party trusted vendor. Lateral phishing also makes easy work of common phishing defences such as SPF (Sender Policy Framework), as it relies on the sender being external to fire an alert. Effort should be made by incident responders to search for internal emails that look “out of place”, however this can be difficult since the attacker will have the ability to study what is “normal” in terms of communication in the organisation before they internally phish. Internal phishing is mostly about falsifying trust."