Purple Haze: The SpearPhishing Experience
11-08, 15:30–15:55 (US/Pacific), Blue Day

Someone great once said "pentesting doesn't have to be all dropping exploits and launching shells." I disagree. Not many people truly understand the grueling task of developing a new campaign, designing sick docs, building killer malware, or why the Red Team operates the way they do during a spearphishing campaign to ‘get those shells’. This talk will cover what the Red Team is really doing when they are trying to gain a foothold through social engineering as well as how Blue Teams can leverage this technical insight to combat the dreaded spearphish.


New phishing techniques are always welcome, but one wrong move with one of those techniques and the entirety of your staging infrastructure is burnt, blocked, and reported by the Incident Response team.

I will be going through many steps of trial and error I have experienced while running red team operations and try to drill down to why and how red teamers do things a very specific (opsec safe) way to gain a foothold through spearphishing. The talk will include the following techniques and topics:

  • Network reconnaissance for firewall rules
  • Basic OSINT for the tech stack
  • How advanced threat actors test dropper malware
  • Image injection and text message notifications
  • One-time use tokens for phishing payloads
  • Remote Template injection
  • VBA macros that work and why they work (and maybe some of what no longer works due to pesky EDR)
  • Other phishing techniques that are gaining popularity like Calendar Phishing and Excel 4.0
See also: Slides (633.6 KB)

Jesse Nebling is a senior engineer and operator on an internal Red Team for a Big 4 firm, a guitarist of cult classic band Free Parking!, and an electronic music producer (@bashexplode) based out of Seattle. Jesse was a consultant for over 7 years that has done penetration tests and full scope red team operations for businesses in a ton of industry sectors including quite a few Fortune 100 businesses. Now that he is helping build out a new Red Team, he is refining and developing awesome new tactics and tools for all steps of the killchain.

This speaker also appears in: