Breaking down the cyberattack lifecycle: Delivery

Nicholas Koken
May 14, 2024

When attacking an organization, adversaries can go through months of preparation and develop a devious weapon to achieve their goals. But, unless they can get it onto a system, then their work is for naught.  

In this blog series, we’re tracking through each aspect of the cyberattack lifecycle so you can learn the best ways to defend your organization. Before this, we tackled weaponization. Our next stage is delivery.

A diagram of a life cycleDescription automatically generated

The process for delivering payloads

Once an attacker’s weapon is assembled, they must get it onto a system. After all, a weapon is only useful when it is available to be interacted with. Building off their understanding and research of the target, an attacker can employ several techniques to put their weapon into the wild.  


One of the most prominent weapon delivery techniques is phishing. Using a variety of different avenues, from email to SMS messages and even LinkedIn DMs, bad actors reach out to individuals posing as legitimate contacts.  

Armed with information gained during the Reconnaissance phase or otherwise appealing to the target’s nature or need, the bad actor establishes rapport and attempts to force the individual to interact with their weapon. Some may even avoid this step altogether, using a disguised password reset email or a similar tactic to avoid directly interfacing with the target. And, of course, phishing attacks can also be carried out in bulk, using eye-catching offers or graphics sent out to a wide group of people. These spray-and-pray tactics are also used to compromise credentials at scale.

Although email security solutions can help with some phishing attempts, others like SMS or LinkedIn fall on the end user to recognize something is amiss. Regular security awareness training can help them to more readily spot phishy messages.

Business Email Compromise (BEC)

An overarching term, BEC includes phishing but also involves trickier methods for defenders to contend with. For example, after a successful phishing attack, an adversary can take control of a user’s email account. Using the account, the adversary can pose as the user, reaching out to other members of the organization to deliver their weapon with even less oversight.  

Again, employee security training is crucial in defending against BEC. Another useful solution for BEC protection is a security information and event management (SIEM) solution. With SIEM, you can ingest login data from email clients and other services that may be attacked through BEC and credential compromise. SIEM then processes that data and alerts on detection rules such as impossible travel and other anomalies to let you know if an account may be compromised.

Search Engine Poisoning / Spoofing

A growing avenue for payload delivery is the use of search engines like Google combined with spoofed links to popular websites. This form of link spoofing is also a key driver in phishing attacks, but the fact that they can show up high in search results gives them an extra level of credibility. Fake sites like twiter[.]com, gooogle[.]com, or others can appear to be legit at first glance, but then route to an attacker’s site where their weapon will instantly download onto the system.

Like before, security awareness training keeps end users alert to the possibility that the websites they see might not be what they appear. Also, using a SASE solution with built-in Secure DNS and content filtering capabilities enables granular control over which sites users can access.

Drive-by Downloads / Malvertising

Attackers love to capitalize on zero-days and other vulnerabilities within popular apps, browser extensions, and operating systems. Depending on the nature of the vulnerability, a bad actor can insert an executable that downloads a payload when the vulnerable system is used. The user thinks they are leveraging the system as normal, but are exposing themselves to attack behind the scenes.

Regular patch management is crucial to defending against vulnerabilities that enable drive-by downloads. An endpoint security solution that combines EDR and NGAV can also identify when these malicious activities occur on a system. Then, the solution can stop any malicious processes in progress to stop payloads from being delivered.

Learn more

Delivery is one of the most critical points in the cyberattack lifecycle. As stated multiple times so far, keeping employees trained on their role in cybersecurity is key to preventing successful deliveries.

Keep reading our blog to learn about each stage in the cyberattack lifecycle, and how a defense-in-depth approach helps you to prevent and defend against new and emerging threats.

Stay up to date

Subscribe to receive the latest insights, news, and updates from Todyl.

Additional reading

Todyl Success Story: IT Haven improves client satisfaction and security through consolidation
Calculating Cyber Risk Appetite
Breaking down the cyberattack lifecycle: Monetization

Todyl updates

Sign-up to get the latest from Todyl sent straight to your inbox.