How can we turn a hacker’s toolkit against them?

Jack Chapman | 4th Aug 2022

Hackers use many tools at each stage of an attack. These tools are often readily available online, both free of charge and to buy, and easy to use for non-technical cybercriminals.

Understanding a hacker’s tools and tactics is essential for cyber security practitioners and vendors aiming to build effective defenses and stay one step ahead of a quickly evolving host of cyber threats.

For example, while attackers can change the content, graphics, and payloads of a phishing email, the right technology can detect the telltale signs in its underlying structure, its context, and delivery mechanism.

The Egress Threat Intelligence team analyzes thousands of phishing emails and investigates ways to reverse engineer repeatable elements against hackers.  

We recently shared how all this works in an on-demand webinar hosted by TechForge

What’s in an attacker’s toolkit?

Different tools are used at each stage of the cyber kill chain. As an email security vendor, our threat intelligence research focuses primarily on the first three stages: reconnaissance, weaponization, and delivery. Ultimately, if we can detect and prevent an attack at delivery (a phishing email), we kill it earlier within the kill chain to help keep our customers safe.

And by understanding the intricacies of these stages, you too can start to think like a hacker, prepare for the tactics they use, and implement stronger defenses.


This is the first stage of the kill chain, where a bad actor sets out their objectives, finds a target and researches them.

There are a variety of tools that make it easier for bad actors to search for targets within your organization and assess their likelihood of falling for an attack. These range from Google, marketing contact databases and social media sites, to email trackers that can show whether a recipient has interacted with an email.

Finally, a bad actor can use a variety of free and paid-for tools to assess a company’s email security system and its defenses. This enables them to understand any existing vulnerabilities that can be exploited and try to craft their attacks to evade detection and enabling them


After reconnaissance, the next step is crafting the phishing email – which can contain a malicious payload, or be payloadless and rely on social engineering.

Phishing kits can be used to create spoofed websites to steal a target’s credentials, steal multi-factor authentication (MFA) tokens, and evade detection from security technology.

The more expensive kits will include tactics to evade detection by cybersecurity technologies, including:

  • HTML obfuscation techniques using encryption, encoding, and whitespace
  • IP address blocklists to identify and block connections from security vendors attempting to scan the webpage for signs of a threat
  • User agent blocking (again to identify and block connections from known security crawlers)
  • Use of compromised or legitimate sites for hosting


Once a target has been found and an email has been weaponized, the next function of the toolkit is to help an attacker evade both email security and the scrutiny of the human recipient once it’s delivered.

Using a compromised email account to send phishing emails makes it less likely they’ll be detected by email security solutions. But when a bad actor doesn’t have access to a compromised account, they can rely on various tools to get their attack into the organization. These include legitimate email sending tools, such as those used for marketing and communication purposes, burner email addresses, and free webmail accounts. Additionally, impersonation attacks can leverage the organization’s own tools (Microsoft Azure AD and Outlook) to add authenticity to an attack

Turning a hacker’s toolkit against them: Watch the on-demand webinar for more

Egress’ VP of Threat Intelligence Jack Chapman and Senior Director of Global Market Strategy Duncan Mills recently walked through the various tools that support the first three stages of the cyber kill chain: reconnaissance, weaponization, and delivery.

Jack and Duncan cover ways to defend against these tactics, including best practice on security awareness training, impersonation protection policies, and keeping applications as secure as possible.

You’ll also learn how the right defense-in-depth can protect an organization against the full spectrum of email threats, including how advanced technologies can detect the most sophisticated payloadless attacks that have been carefully designed to evade secure email gateways and native cloud email security.

Watch the webinar on-demand here.