Phishing Remains A Highly Effective Technique
Our phishing services — including targeted spear phishing and vishing — are a core component of Raxis’ advanced Red Team operations. Delivered exclusively by our elite Red Team engineers, these realistic simulations emulate real-world adversaries to uncover vulnerabilities in your people, processes, and technology.
Integrated With Our Red Team Expertise
Red Teaming helps you defend against cyber threats effectively.
Handled by Red Team Engineers
Your phishing tests are conducted by the same elite professionals who lead our Red Team operations, ensuring hyper-realistic scenarios that go beyond basic templates.
Seamless Red Team Integration
Phishing often serves as the initial access vector in broader Red Team assessments, allowing us to demonstrate chained attacks (e.g., credential harvesting leading to lateral movement).
Real-World Impact
By leveraging Red Team methodologies like the MITRE ATT&CK framework, we reveal not just click rates, but how phishing exploits could lead to full compromise.
How Raxis Protects Your Organization
Phishing and social engineering can pose significant risks to your company, but understanding these threats is essential for protection.
Phishing involves deceptive tactics where attackers impersonate trustworthy entities to steal sensitive information, such as login credentials or financial details. Social engineering, on the other hand, leverages psychological manipulation to trick employees into divulging confidential information or performing actions that compromise security.
Realistic Attack Simulations
We simulate phishing, spear phishing, and vishing attacks to test your organization’s resilience against these threats. These realistic scenarios help identify vulnerabilities in your defenses and prepare your team for real-world attacks.
Comprehensive Reporting
After each simulation or assessment, we provide detailed reports highlighting weaknesses in your defenses and offering actionable recommendations to mitigate risks.
Employee Awareness Training
Your employees are the first line of defense against social engineering attacks. Our tailored training programs teach them how to recognize and respond to phishing emails, suspicious calls, and other manipulative tactics.
Continuous Improvement
Cyber threats evolve constantly. Our ongoing services ensure your organization stays prepared by adapting defenses to new attack methods and providing regular updates on emerging threats.
Raxis Hack Stories
Phishing for Credentials
Our stories are based on real events encountered by Raxis engineers; however, some details have been altered or omitted to protect our customers’ identities.
Oh, if clicks were wishes. After decades of extended car warranty negotiations and speed dates with Nigerian princes, nearly all organizations remain keenly aware phishing attacks are part of doing business. We’re all human, but it’s the forehead slap moments that seem to sting the most. Maintaining that vigilance while your inbox explodes on a Friday afternoon is no small challenge. We’ve all been there, and the bad guys know it. We don’t get to share too many of them, so sit back and enjoy a few war stories our team has been a part of. While no actual employees were harmed in the making of this story, they quickly learned that class was in session.
As with many other social engineering engagements, we created a phish based on a spoofed login portal. The assessment scope allowed our engineer to pivot off any harvested credentials. So, with that as the focus, he leapt at the first set that came in. Glee quickly faded as he found the organization enforced MFA through a push notification. Thinking the gig was up, our tester stepped away in search of commiseration coffee. Bingo! When he returned the user had approved the MFA push.
The best advice for outsmarting a professional phisherman is to confirm a communication’s legitimacy with the person or organization that allegedly sent it. But what about the phish within the phish? For this, our team created a complex phishing email claiming to be from our customer’s own IT department. Using company branding and styles found on publicly available customer sites, the branded email urged users to login to their email, using a link provided in the email of course, to re-authenticate after an upgrade. You guessed it, this link was for a phishing site that stole the entered credentials and then redirected, smoke and mirrors style, to an error page. Here’s where the darkness became all encompassing. Both the email and the error page provided a number to contact IT for help. Not only did employees enter credentials, but the phone started ringing. Grateful to have the call answered quickly by a friendly person, several of these people told our tester other sites where those credentials should work and provided info that helped our tester login. Trust and rapport were inferred because the employees made the call to the phisher instead of the other way around.
Real Phishing Obtains Real Results
Scottie Cole is one of the best in the business. In this video, he reveals some of his best tips and tricks for setting up phishing campaigns to harvest credentials and/or install payloads on clients’ networks.
