[marginalia_nu]

The sophisticated aspect of these types of attacks typically isn't in the technical aspects, but the social engineering involved.

It usually involves meticulous research on the target, what and who they work with, and have crafted an email that plausibly looks and sounds like an internal email, that talks about company stuff in company language, mentions coworkers and so on.

Add a note of urgency, make it someone who has discovered something isn't right, there's an urgent technical issue or the company or money is missing from the accounts or something, or perhaps it was dressed up as a memo announcing layoffs at reddit. If it's an urgent "threat" you tend to tunnel vision quite hard.

The result is very far removed from how your typical spam emails tend to look.

[dkarl]

Cloning an intranet site is also a nice wrinkle that probably trips up a lot of less-tech-savvy employees who are trained to recognize phishing attempts that use replicas of Amazon, Google, Facebook, and other big well-known public web sites, which they mentally categorize as a different thing from their company's internal tools.

[pixl97]

It doesn't help companies have so many internal tools. It seems like once a month I'm asking my team if the invite to X service is something we're doing or a phish.

[xeromal]

This is what interested me. How do you clone an intranet site without gaining access to it?

[sillysaurusx]

Yep. We had a charming English fellow at NCC Group in charge of doing this for a living. He had it down to a science. Everything from the phrasing to the phishing.