2.2 - Message-Based Attack Vectors

Learning Objectives

2.2 - Explain common threat vectors and attack surfaces.

• Message-based
  • Email
  • Short Message Service (SMS)
  • Instant messaging (IM)

What is a Message-Based Threat Vector?

Message-based threat vectors are one of the most common and successful ways attackers compromise a system. Why? Because they don’t have to find a zero-day exploit or crack encryption - they just have to send a convincing message that tricks a half-asleep employee into clicking something on a busy Monday morning.

These types of attacks usually revolve around social engineering and rely on our tendency to trust messages that look familiar. To exploit this tendency, attackers will craft a message that looks legitimate but contains a malicious link, an infected attachment, or a convincing request for sensitive data.

For example, it might be an email from HR, a text message from your bank, or a direct message from a "colleague" on Slack asking you to send over a sensitive document.

These Message-Based attacks can typically be split into three main categories:

1. Email

Email-based attacks, also known as phishing, remain one of the most common vectors for cyberattacks due to its widespread use in both corporate and personal communication. They work by delivering malicious content (like links or attachments) to a user’s inbox, disguised as a legitimate email. The goal is usually to trick the recipient into clicking a link, opening a file, or responding with sensitive information.

The attacker might spoof the sender address to appear as someone trusted - like your boss, your bank, or even a service you use like Microsoft or Netflix. If the recipient interacts with the malicious links, files or responds to the request, it could result in a malware infection, financial loss or worse.

Common Examples of Email-Based Attacks

• Nigerian Prince Scam: One of the oldest internet scams, also known as the advance-fee scam. The attacker may claim to be rich or a person of royalty, who needs your help to transfer money out of their country. In exchange for your help, you’re promised a large cut - but you first have to send them a sum of money upfront... you know... to pay for those transaction fees...
• Crypto Scams: These appear as emails from platforms like Coinbase. It might claim that you've been sent some Bitcoin but need to click on the link to login before it expires! The link likely takes you to a fake Coinbase login page that is designed to harvest your credentials.
• HR Impersonation: An attacker may send an email pretending to be from your company’s HR department, urging you to review their latest policies. The attached file might be a Word document laced with malicious macros.

2. SMS-Based Threat Vectors (Smishing)

Smishing is the Short Message Service (SMS) version of phishing. It uses text messages to lure users into clicking malicious links or sharing sensitive information. Unlike emails, SMS messages feel more personal and urgent, and attackers like to take advantage of this.

Since people are more likely to read and respond to texts quickly, smishing attacks often create a false sense of urgency or authority, like a failed delivery or a compromised bank account.

Common Examples of SMS-Based Attacks

• Parcel Delivery Scam: You receive a text that says, “Your parcel is held due to unpaid shipping fees. Pay now to release it.” The link leads to a phishing site that steals payment info.
• Bank Account Alert: You get a text saying your account has been locked and you must “verify your identity.” The link redirects to a spoofed banking site asking for login credentials.
• Fake COVID Test Result: During the pandemic, attackers sent texts pretending to be from health agencies, tricking people into clicking malicious links under the guise of ordering a test or checking their test results.

3. Instant Messaging (IM)-Based Threat Vectors

Instant messaging apps like Slack, Teams, and WhatsApp are also being used to launch message-based attacks. These platforms are often seen as internal and trusted, especially within enterprise environments. This makes users less skeptical of messages received here - which makes them ideal targets for social engineering.

Attackers might compromise one employee’s account and use it to message others, or spoof a manager or coworker asking for a favour - like requesting a document, paying an invoice, or handing over credentials.

Common Examples of IM-Based Attacks

• Coworker Impersonation: You get a Slack DM from someone claiming to be your project manager asking you to “urgently review” a document. The document might be a malicious payload.
• Fake IT Support: An attacker impersonates IT and claims there’s an issue with your account. They send you a link to a “fix,” which leads to a credential harvesting site.
• Executive Fraud: On platforms like Microsoft Teams, attackers may pose as senior executives asking employees in the finance department to urgently pay an invoice or transfer funds.

Common Traits of Message-Based Attacks

Whether it’s an email, text, or Slack message, many message-based attacks will have similar traits to look out for:

• Unnecessarily urgent tone or pressure to act fast
• Unexpected links or attachments
• Poor grammar or spelling mistakes
• Slightly altered domain names (e.g. paypai.com instead of paypal.com)
• Unusual requests - such as requesting sensitive info that wouldn’t normally be shared over chat

Real-World Example: Toyota BEC Attack (2019)

In 2019, a Toyota subsidiary lost over $37 million due to a business email compromise attack. The attackers impersonated a trusted supplier and tricked staff into changing payment details. The email looked convincing, came at just the right time, and wasn’t caught until after funds had been transferred.

You can read more about it here: Toyota Subsidiary Suffers $37m BEC Loss

Defenses Against Message-Based Attacks

The best way to protect against message-based attacks - whether they come via email, SMS, or instant message - is through a combination of user awareness, technical controls, and common-sense policies. Since these attacks rely heavily on social engineering, stopping them usually starts with the person being targeted.

Here are the most effective defenses you should have in place:

1. Security Awareness Training

Users are your first line of defense. Regular training helps staff recognise red flags like suspicious links, unexpected attachments, fake urgency, and impersonation attempts. If someone knows what to look for, they’re far less likely to fall for a scam - even if it looks convincing.

2. Spam Filters and Anti-Phishing Tools

Modern email security gateways can scan for known malicious domains, suspicious attachments, and spoofed addresses. These tools help filter out a huge portion of phishing emails before they even hit the inbox.

Some platforms also support link rewriting and sandboxing - so if a user clicks something sketchy, it’s redirected, blocked or checked in a secure environment first.

3. Multi-Factor Authentication (MFA)

Even if an attacker tricks a user into handing over their login credentials, MFA can block the login attempt. A second verification step (like an app or hardware key) makes it significantly harder for attackers to move forward with a breach.

4. Mobile Device Management (MDM)

For SMS and IM threats targeting phones, MDM solutions can enforce security controls - such as spam text filtering, blocking untrusted apps, disabling link previews, or remotely wiping compromised devices.

This is especially important in bring-your-own-device (BYOD) environments where personal devices can access work apps and data.

5. Dual Channel Verification Practices

Employees should be trained not to blindly trust messages, even if they come from a familiar name. Verifying suspicious requests through a separate communication channel (like a phone call) is a simple yet highly effective defense. It is unlikely that an attacker has been able to compromise multiple channels. It is even less likely that they are able to hijack a user's phone calls and accurately imitate their voice in real time. However, as AI rapidly develop, this is an emerging risk to think about.

6. URL Filtering and DNS Security

On the technical side, organisations can implement DNS filtering and URL blocking to prevent access to known phishing or malicious websites - even if a user clicks the link. This adds another layer of protection beyond the endpoint.

7. Filter External Messages

Configure permissions to filter and review messages from unknown external users or domains. Many message-based attacks rely on being able to directly reach employees from outside the organisation.

8. Incident Reporting and Response

Make it easy for users to report suspicious messages with a single click. The faster a phishing email or scam is reported, the faster security teams can contain the threat and warn others in the organisation.

Final Thoughts

Message-based vectors are as old as the internet - and they’re not going away anytime soon. As they rely on human vulnerability, there’s no single patch or tool that can stop them entirely.

Attackers will always find new ways to craft convincing messages - but with layered defenses and well-informed users, you can catch and stop most of these threats before any damage is done. One click is all it takes - so make sure your users are trained to think twice.