Whether the attack is targetted or not, there are times when the adversary wants to deploy malware immediately on the endpoint. Often this will be done by getting them to visit a malicious website or attaching a file.

In this use case the adversary has created a LinkedIn profile and sent a very compelling message to their target asking them to click a link.


Step 1 - Setup a Social Media Profile

Use your favorite platform. Sign up for an account.

Step 2 - Get a Malware Domain

When using domains for testing in this lab you can safely add a zone file to your freshdemo/mailanddns /etc/bind directory so that even if someone does click on the link and it bypasses your security the traffic will be sinkholed to your systsems and not the actual malicious sites.

Find a known malicious domain in your favourite threat intel feed. An open one is https://www.malwaredomainlist.com/.

Step 3 - Craft the Message

Write a compelling message to your target and send it.

Spearphish Malware LinkedIn


You can see that the malware delivery broke in this case.

Spearphish Malware Delivery

Step 4 - View the Protection on the NGFW

The log below indicates that the domain clicked from the email was sinkholed. This means that when this target computer was asking what the IP address is of the domain even that traffic was dropped. Because it was sinkholed the real IP of the malicious server will not be known to this client so any attempt to connect by name is prevented.

Spearphished Malware Sinkhole Spearphished Link Sinkhole