What Are the 3 Phases of the Phishing Attack Kill Chain?

One of the primary concerns of cyber security leaders within organizations is phishing attacks. Millions of phishing emails are sent every day, bypassing whatever email security filters are in place. The result: end users not only receive the email in their inbox, but they are urged to take action by clicking on URLs, filling in fraudulent forms, downloading attachments and/or responding with sensitive information.

Phishing emails must go through several steps to be successful and achieve the goal of the attacker. The process of the phishing attack kill chain contains three overarching phases: the threat vector, delivery, and exploitation. Every phishing attack has had the attacker plan their execution of the phishing campaign across these three phases.

So why are phishing attacks still a problem for organization? It is because email security vendors have been focused on the wrong phases.

Only by placing compensating controls at each phase of the phishing attack kill chain can an organization minimize the risk associated with phishing.

Here is what the phishing attack kill chain looks like:

Phase 1: The attacker identifies the available threat vectors to leverage during the phishing attack.

Phase 2: The attacker delivers the malicious email, leveraging the identified threat vectors (URL, attachment, copy) to the user.

Phase 3: The user opens the email and takes action.

In fact, in the 2020 End User Phishing Report, users were only able to identify phishing emails half of the time.

It is only if all three phases have been achieved that the attacker has been successful. So, what can an organization do to minimize the risk across all three phases?

Threat Vectors

A threat vector is a pathway of input an attacker uses to enter the user’s system. In the phishing attack kill chain, the vulnerabilities that exist in email include suspicious websites and URLs, unusual attachments, malware, and unknown or unauthenticated senders, among a few others.

With email being so critical to business communication, it is impossible to simply close the system to eliminate attack vectors. This is one reason some cybersecurity vendors do not really look at the vector phase of the phishing kill chain.

With attack vectors, it is critical to apply compensating controls at the earliest possible point. The earlier in the kill chain these controls are implemented, the better chance there is for attacks to be prevented.

Compensating controls at the vector phase can analyze email headers to see if there is any variation from the normal way emails are received and sent. If there are atypical or anomalous vector(s), it is at this phase where they should be detected, and policies developed to more effectively address risk that is posed by those vectors.


Delivery in the phishing attack kill chain is the function of attempting to send an email to the targeted user(s). To deliver the content to the target, the attacker may use different techniques such as sending spear phishing emails, uploading various applications or software that the user is likely to download without authenticating the source.

At this stage, the email security solution should have identified the anomalous elements of the email, applying compensating controls based on the organization’s risk tolerance. These compensating controls often use a wide range of dynamic user alerts to assist the user in understanding what risks the email has when interacting with it. These take the form of link rewriting, contextual bannering, etc. Or silent quarantine is another compensating control that automatically removes potentially dangerous emails away from the inbox without prompting the user to take any action.


In the exploitation phase, the attacker has successfully made it to the user and is waiting for the user to take some action to achieve the desired goal. These actions can be clicking on a URL, downloading an attachment, entering credential information into a contact form or any number of actions that will give the attacker greater access to the system or information being pursued. Once the user takes the desired action, the attacker either continues the attack or sits in the system unknown to the user.

Compensating controls in the exploitation include mailbox intelligence, which can inform users of a sender’s authenticity and phish reporting which is a way for users to report phishing attempts and gain access to tools that help remove spam. Community threat protection can also be of assistance, using aggregated phishing data to benefit your organization and help identify and detect phishing attacks in real-time. Additionally, if a phish is identified, you should have the ability to do organization-wide search and remediation to immediately quarantine across the entire system.

The risk of sophisticated phishing attacks is high because most email solutions are insufficient when it comes to detecting a significant percentage of anomalous emails before they exploit an organization. This is one reason compensating controls are necessary across the entire phishing attack kill chain.

You will never be able to prevent 100% of all phishing attacks. There is simply no way to get around it. The most important way to break the kill chain is to implement the compensating control at the first phase: the vector phase. But it is possible for organizations to develop a comprehensive and effective plan to protect their email networks.

download arrow graphic

Learn more by downloading the whitepaper: Breaking the Kill Chain: How to Gain Control Over Phishing Attacks

Get Your FREE Email Threat Assessment

Learn what advanced threats are currently getting through your existing email security and into your end users’ mailboxes.