Phishing and Spear Phishing
Phishing remains the most common way attackers get in, because it targets the human, who cannot be patched. Bulk phishing casts wide with generic lures; spear phishing targets a specific person with researched, personalized pretext (fed by the OSINT of Chapter 5); business email compromise skips malware entirely and just asks, convincingly, for a wire transfer or credentials.
This topic covers how these campaigns are built and, for the defender, how they are detected and blunted before they reach Meridian's people — including the critical modern point that most MFA does not actually stop a determined phish.
The Phishing Spectrum
The spectrum runs from bulk phishing (high volume, generic, caught largely by filters) through spear phishing (researched, personalized, high success, evading generic filters) and whaling (targeting executives) to business email compromise (pure impersonation for fraud, often with no malicious link or malware at all). The more targeted the attack, the higher its success rate and the harder it is to catch with technology alone.
The Anatomy of a Lure
Urgency, authority, and a plausible pretext drive the click. The payload is a credential-harvesting page — often behind a real-time proxy that relays MFA — a malicious attachment (Chapter 8), or simply a request. Recognizing the pattern is the human defense: an unexpected message combining urgency and authority, pushing you to act now, is the shape of nearly every phish regardless of its specific story.
The Real-Time Phishing Proxy
This is the point that changes the calculus: modern kits — adversary-in-the-middle — proxy the real login, capturing the credentials and the session cookie after MFA. Ordinary MFA does not stop them, because the attacker relays whatever the user enters. Only phishing-resistant, origin-bound MFA (FIDO2, Chapter 3) truly defeats this, because the credential will not release to the look-alike site. "We have MFA" is not the same as "we are safe from phishing."
Defending Meridian's Inbox
The defense is layered: email authentication enforced (the next topic), link and attachment sandboxing, lookalike-domain monitoring, phishing-resistant MFA so a caught credential is useless, and an easy one-click report path so users become a sensor. Business email compromise, which slips technical filters entirely because it carries no malicious payload, is caught by process — out-of-band verification of any payment or credential request.
Bulk — mass, generic, low per-target success, caught largely by filters.
Spear — researched, personalized, high success, evades generic filters; needs human awareness plus technical layers.
Business email compromise — pure impersonation and social pressure for fraud, frequently with no malicious link or file, so it slips technical filters and is caught by process and verification.
- Assuming MFA defeats phishing, when real-time proxies capture the session after MFA and only phishing-resistant factors stop them.
- Relying on filters alone against spear phishing and BEC, which are personalized precisely to evade generic detection.
- No easy report button, so users who do spot a phish have no fast way to warn the SOC, wasting the best sensor.
- Treating BEC as a technical problem when it is a process problem — the fix is out-of-band verification of payment and credential requests.
- Punishing users who click, which drives reporting underground and hides the incidents you most need to see.
- Deploy phishing-resistant MFA (Chapter 3) so a harvested credential, and even a relayed session, is worthless.
- Layer technical controls — authentication, link and attachment sandboxing, lookalike monitoring — with human awareness for the targeted attacks filters miss.
- Give users a one-click report path and treat reports as high-priority SOC signals.
- Defend BEC with process: mandatory out-of-band verification for payments and sensitive-data requests, regardless of who "sent" it.
- Run realistic phishing simulations that measure report rate, not just click rate (the final topic).
Knowledge Check
Why doesn't ordinary MFA stop a modern real-time phishing proxy?
- It relays the post-MFA session cookie in real time
- The proxy guesses the MFA code by rapid brute force
- MFA codes travel across the network unencrypted
- The proxy quietly disables MFA on the account first
Why does business email compromise often slip past technical email filters?
- It carries no malicious payload, just an impersonated ask
- It is always sent from a genuine, compromised internal account
- Filters are unable to scan the subject line of any email
- BEC messages are always encrypted end to end in transit
Why is an easy one-click report button a valuable control?
- It turns users into fast sensors warning the SOC
- It automatically deletes the reported phishing email from every inbox
- It blocks the sender's domain permanently on its own
- It replaces the need for phishing-resistant MFA
You got correct