Spear Phishing Harpoons 2FA

There are many types of attacks that could be used against your organization. Social Engineering is an attack vector that may include a variety of exploit strategies. In this post we will examine two common Social Engineering attacks that utilize a spear phishing strategy. Spear phishing against organizations is known to succeed against the most advanced security systems, including Two Factor Authentication (2FA).

Social Engineering (SE) Attacks

Social engineering is an attack strategy that appears benign to the unsuspecting target. Success depends on tricking a victim into cooperating with the attacker’s requests. Because this attack strategy is so sophisticated in the manner in which it mimics legitimate activities, the ruse frequently works. The target individual is fooled into revealing valid system logon credentials. No security system, even 2FA, can protect against the attack once the target’s cooperation is obtained.

How to Know if You Are Being “Engineered”

One great way to understand how advanced social engineers are attacking in the wild is by examining a typical attack scenario in detail.

Initial Attack Phase

The threat actor sends spoof emails to your organization that the Spam filter didn’t detect. The Spam filter failed to detect the spoof emails because they originated from your corporate domain or a domain with a very similar structure.

The emails use a scripted ruse similar to the following:

Hi Name of Employee,

We are in the process of moving our VPN services to an upgraded system. You’ll have 3 days to update your information or you’ll be unable to continue to access the VPN remotely. To update your VPN information into our new system please go to http://vpn-yourcompanydomain.com.


Actual IT Department Employee’s Name

Second Phase

Next the threat actor, using a spoofed phone number of your internal organization, begins Vishing (phishing via telephone) the employees that just received the emails.

The telephone contact will be scripted something like this:

Hi Name of Employee,

This is Actual IT Department Employee’s Name

I just sent you an email to update your VPN information because we are in the process of upgrading our VPN system. If you have the time, I want to walk you through the process so we can be sure that you are properly setup.

The employee, not suspecting anything out of the ordinary, accesses the corporate VPN login screen. Below is a typical screen.


Third Phase

Now the threat actor explains the necessary steps to the employee and walks the employee through the http://vpn-yourcompanydomain.com website. Because the employee has been tricked into using a spoof website, the threat actor is able to capture the employees credentials as he types them into the login screen. The attacker is now able to log into the actual corporate VPN and begin pursuing the purposes of their attack.

Tips for Social Engineering Prevention

Risk Assessment

Assess of your organization’s current SE risk position and strategies to manage these types of threats? Without proper training, it can be difficult to identify SE threats and devise a strategy to reduce the risk and minimize the potential impact.

A social engineering penetration test can provide your organization with data on your current SE threat exposure. It will also inform the organization of SE threat training needs and help ensure security standards compliance.

Security Awareness

Implement a continuous security awareness program. Train employees on actual SE attack types being utilized.


In the scenario above, the threat actor called the employee. Train employees to make a call to the appropriate department to verify the request and determine for certain they are working with authorized, legitimate personnel.

Incident Reporting

Set up a hot line or other easily accessed method for employees to report suspected security attacks. Communication is the key to recognizing when an attack is happening.



VeriClouds serves as a trusted security advisor to the Global 500 and other progressive enterprises, helping to safeguard their most important assets and improve their overall security posture. We have domain expertise in several vertical industries. Our industry-specific methodologies and assessments are aligned with our core competencies:

Account Security

Penetration Testing

Social Engineering

Physical Security Assessments

Checkout our Online Accounts Risk Mitigation Platform and Extensions Enhancing the Core Platform and Phishing Prevention

Spread the word. Share this post!

We Accept Only Business Email Addresses – No Free or ISP Email Addresses

Please enter a business email address to obtain proper delivery of the product. If you do not have a business email address or experience any issues during the registration process, please send an email to support@vericlouds.com