David Kelleher
Aug 07, 2025
David Kelleher
Aug 07, 2025
Anyone who has sat through security awareness training knows the standard slide: a suspicious email, a too-good-to-be-true link, and a reminder not to click. All fair enough, yet phishing and business email compromise still cost organisations billions every year.
The truth is, the criminals behind these attacks don’t fire off random spam. They plan, they probe, they adapt and they often succeed because too many defences stop at the inbox.
Picture an ordinary Friday. A finance assistant at Company ABC finds an email from a long-standing supplier asking them to update the bank details for an invoice due that day. Nothing unusual. Branding looks right, the contact name checks out, so the payment goes through.
On Monday, the real supplier chases for payment that never arrived. Meanwhile, the same firm’s accounting platform locks out another user who “reset their password” after following instructions from what turned out to be a fake internal IT email. Two incidents, days apart, both seemingly isolated but neither was random.
Security teams use the Cyber Kill Chain to break down exactly how an attack like this happens, stage by stage. The original model came from Lockheed Martin back in 2011, borrowed from a military concept about stopping a threat before it hits its target. The same idea applies to cyber threats: the earlier you disrupt the chain, the better chance you have of stopping an attacker before real damage is done.
1. Reconnaissance
This is the groundwork. Attackers start by gathering as much detail as they can about your organisation. They mine LinkedIn for job titles, scan company websites for supplier lists and hunt social media for casual clues. A single LinkedIn post mentioning a new supplier contract might be all they need to craft a believable fake invoice. Some groups even trawl public code repositories to spot who is working on what. The Lazarus Group, for instance, has repeatedly targeted software developers by lurking on code-sharing platforms and watering-hole sites.
2. Weaponisation
Once they have enough detail, the attacker prepares their toolkit. In a phishing scenario, this might be a cloned invoice template, complete with your supplier’s logo and a believable change-of-bank-details notice. More advanced campaigns might embed a macro that only activates inside your network, or a link that drops a Trojan payload.
3. Delivery
Delivery is the method the attacker uses to get that weaponised email or file in front of a target. Phishing remains the easiest route. A spoofed email domain, a carefully timed message and a sense of urgency: “please process this today to avoid a late fee”, and the bait is set. Even when companies have spam filters and domain checks in place, attackers use lookalike domains or hijacked legitimate accounts to slip past.
4. Exploitation
This is the moment the user unwittingly opens the door. The assistant processes the fake invoice and changes the bank details, or the other employee clicks a link that harvests login credentials. In more technical breaches, this stage involves triggering a software vulnerability, for example, an unpatched macro library in Office or a cross-site scripting flaw in a portal link.
5. Installation
If the attack involves malware rather than just social engineering, the malicious file or script then installs itself. It might embed a lightweight backdoor or remote access Trojan, hiding in normal system folders or registry keys to avoid detection. Sophisticated groups design these implants to stay dormant for weeks, quietly watching and collecting more credentials.
6. Command and Control (C2)
At this point, the attacker needs a way to communicate with the compromised machine. The backdoor calls home, usually over normal web traffic so it blends in. Through this channel, attackers can escalate privileges, pivot to other systems or manipulate mailbox rules. For example, they might create a hidden forwarding rule that sends a copy of every invoice email to an external address; an easy way to spot payment opportunities.
7. Actions on Objectives
Finally, the attacker achieves their goal. In a BEC scenario, that usually means money leaves the business bank account and flows through mule accounts into cryptocurrency wallets. In other cases, the objective might be stealing data or deploying ransomware. But the core idea is the same: everything before this point was groundwork to make the final step as smooth as possible.
The Cyber Kill Chain is a good starting point but real attacks rarely follow it in a straight line. That’s where frameworks like MITRE ATT&CK come in. ATT&CK maps out hundreds of real-world techniques - things like “Valid Accounts” or “Spearphishing Link” - that defenders can look for in logs and alerts.
The Diamond Model adds context by tracking the links between the attacker, their tools, their infrastructure and the target. And the Unified Kill Chain ties these ideas together, recognising that attackers might loop back to reconnaissance when they hit a dead end, or chain multiple tactics together in ways the old linear model doesn’t fully capture.
If all that sounds theoretical, it isn’t. The same supplier fraud could be blocked by making sure finance staff always verify bank detail changes by phone not by email alone. Technical controls matter too. Email authentication protocols like SPF, DKIM and DMARC make basic spoofing harder. Multi-factor authentication limits what attackers can do with stolen credentials. Modern Security Operations Centres (SOCs) use MITRE-mapped detection rules, among others, to spot suspicious login locations or sudden mailbox rule changes. And when something does slip through, automated playbooks can suspend an account, quarantine an endpoint or freeze a payment faster than any human alone could manage.
A phishing email might look like a simple trick, but the operation behind it is anything but. Attackers pick their moment, pick their target and combine human manipulation with technical loopholes. Understanding that chain and putting checks into every stage is how you stop the money leaving the account before it is too late.
