Internal Phishing Exercise Difficulty Scoring Tool

Cedric Owens
Sep 3, 2018 · 3 min read

Given the prevalence of phishing as an attack vector into corporate and enterprise environments, lots of organizations are now performing regular internal phishing assessments. These efforts usually aim at testing and training end users on how to spot and report suspicious emails. When gathering metrics on internal phishing campaigns, it is not only good to have metrics such as view rates, click rates, compromise rates, and report rates but also to track the difficulty level of each phishing campaign. This will help provide context and help paint a more complete picture when reporting these metrics upward. However, when I searched I did not really find too much out there in terms of scoring models for internal phishing campaigns. There was one on ElevateSecurity.com so I was glad to see that:

I thought this was a great start. However, there were other aspects of phishing emails that I wanted to take into account when measuring difficulty levels that this model did not include. So, I decided to use that model as a foundation and build my own model.

So I wrote a simple python 3 script that will present questions and calculate a difficulty level based on what range the overall score for a phishing email falls into. I will not get too much into the weeds but the general approach I took:

  • Came up with the list of questions and answers

The questions are below:

  1. Email campaign options:
  • Credential harvesting campaign

Each of these has several questions that are the same and may include one or two additional questions specific to each type of campaign.

General questions:

How was the sending email address crafted?

What type of domain did you use to send the mail?

What type of domain did you use for C2 or the fake login page?

What type of layout did you use for the phishing email?

How much contextual business information did the phishing email contain?

Did the phishing email have any grammatical or spelling errors?

How much did you personalize the phishing email?

Additional questions for credential harvesting phishing emails or phishing emails with links to malicious payloads:

  • Was HTTPs used for the fake login page?

Additional question for attachment-based phishing emails:

  • How much user interaction with the attachment was required to ‘compromise’ the user?

Additional question for BEC phishing emails:

  • How similar was the sender to the target executive or company?

The questions above are the initial questions and I imagine that these will evolve and change over time. For example, tools like evilginx2 and CredSniper have the ability to capture or bypass 2FA so I need to add some additional questions to account for the difficulty levels associated with those.

When run, the script starts as follows:

When finished, the script writes an output file in the current working directory, as seen below:

Here is a link to the phishing exercise difficulty scoring script I wrote:

I think there could be value not only running internal phishing campaigns through this model but also running real world phishing emails that have had some level of success against employees through this model to get a general feel for the difficulty level.

Enjoy!

Red Teaming with a Blue Team Mentaility

Posts from a blue teamer turned red teamer

Cedric Owens

Written by

Blue teamer turned red teamer but blue teamer at heart. Twitter: @cedowens

Red Teaming with a Blue Team Mentaility

Posts from a blue teamer turned red teamer

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade