He walked into the lobby with a fake badge clipped to his shirt. He had bought it online the week before. It was not perfect, and it did not need to be. From a few feet away, it looked close enough: a logo, a name, a photo, and a lanyard. The kind of thing most people glance at for half a second before their brain decides, “Looks fine.”

The post The Art of the Badge: A Hard Truth About Physical Security appeared first on Black Hills Information Security, Inc..

This scenario simultaneously tests identity confirmation tooling (SSPR, MFA, Conditional Access), how users act under pressure, and the organization's ability to detect and follow-up on social engineering attacks.

The post Social Engineering and Microsoft SSPR: The Road to Pwnage is Paved with Good Intentions  appeared first on Black Hills Information Security, Inc..

Social engineering is the manipulation of individuals into divulging confidential information, granting unauthorized access, or performing actions that benefit the attacker, all without the victim realizing they are being tricked.

The post How to Design and Execute Effective Social Engineering Attacks by Phone appeared first on Black Hills Information Security, Inc..

GoPhish provides a nice platform for creating and running phishing campaigns. This blog will guide you through installing GoPhish and creating a campaign. 

The post Gone Phishing: Installing GoPhish and Creating a Campaign appeared first on Black Hills Information Security, Inc..

In this video, Michael Allen discusses adversary-in-the-middle post-exploitation techniques and processes.

The post Adversary in the Middle (AitM): Post-Exploitation appeared first on Black Hills Information Security, Inc..

This article was originally published in the second edition of the InfoSec Survival Guide. Find it free online HERE or order your $1 physical copy on the Spearphish General Store. […]

The post How to Perform and Combat Social Engineering appeared first on Black Hills Information Security, Inc..

This article originally featured in the very first issue of our PROMPT# zine — Choose Wisely. You can find that issue (and all the others) here: https://www.blackhillsinfosec.com/prompt-zine/ I remember a […]

The post Red Teaming: A Story From the Trenches appeared first on Black Hills Information Security, Inc..

Human Trust  Most people associated with information technology roles understand the application of technical controls like the use of firewalls, encryption, and security products for defenses against digital threats. Proper […]

The post The Human Element in Cybersecurity: Understanding Trust and Social Engineering  appeared first on Black Hills Information Security, Inc..

I previously blogged about spoofing Microsoft 365 using the direct send feature enabled by default when creating a business 365 Exchange Online instance (https://www.blackhillsinfosec.com/spoofing-microsoft-365-like-its-1995/). Using the direct send feature, it […]

The post Spamming Microsoft 365 Like It’s 1995  appeared first on Black Hills Information Security, Inc..

rvrsh3ll //  Introduction  This blog post is intended to give a light overview of device codes, access tokens, and refresh tokens. Here, I focus on the technical how-to for standing […]

The post Dynamic Device Code Phishing  appeared first on Black Hills Information Security, Inc..

Hannah Cartier // Social engineering, especially phishing, is becoming increasingly prevalent in red team engagements as well as real-world attacks. As security awareness improves and systems become more locked down, […]

The post Phishing Made Easy(ish) appeared first on Black Hills Information Security, Inc..

Beau Bullock & Mike Felch// Strategically targeting a corporation requires deep knowledge of their technologies and employees. Successfully compromising an organization can depend on the quality of reconnaissance a tester […]

The post Podcast: Weaponizing Corporate Intel. This Time, It’s Personal! appeared first on Black Hills Information Security, Inc..

Beau Bullock & Mike Felch// Strategically targeting a corporation requires deep knowledge of their technologies and employees. Successfully compromising an organization can depend on the quality of reconnaissance a tester […]

The post Webcast: Weaponizing Corporate Intel. This Time, It’s Personal! appeared first on Black Hills Information Security, Inc..

Kelsey Bellew//* It’s an occupational hazard to see vulnerabilities everywhere. When I see a router sitting in plain sight I think, “The default creds are probably printed on the back; […]

The post Social Engineering in Japan appeared first on Black Hills Information Security, Inc..

Lee Kagan* // Expanding upon the previous post in this series, I decided to rewrite C2K (find it here) to change its behavior and options for the user. In this […]

The post How to Build a Command & Control Infrastructure with Digital Ocean: C2K Revamped appeared first on Black Hills Information Security, Inc..

Carrie Roberts // A fun story from an adventure in social engineering not too long ago. Thought I’d pass on some things I learned and ways to be more prepared in the […]

The post Social Engineering – Sometimes It’s Too Easy appeared first on Black Hills Information Security, Inc..

Joe Gray* // You may have heard about a new genealogy tool called Family Tree Now. It is a (seemingly) 100% free tool (more on that later) that allows you to […]

The post Phishing Family Tree Now: A Social Engineering Odyssey appeared first on Black Hills Information Security, Inc..

Sierra Ward* // Normally I am hidden in the back rooms at BHIS, chipping away at 10 million marketing tasks.  I show up occasionally in webcasts, lurking again in the shadows, […]

The post A Marketer’s Lessons in Con Artistry for Good & Learning appeared first on Black Hills Information Security, Inc..

Christine Sorensen // Let’s talk about Mary. Mary Watson is a girl in her twenties and just graduated from Midtown University with her bachelors in Fashion Merchandising. Mary is now […]

The post Mining Mary’s Social Media Antics for Social Engineering appeared first on Black Hills Information Security, Inc..

Heather Doerges // Of all the services we offer at BHIS, Social Engineering is the most interesting to me. It’s something (and quite possibly the only thing) I completely understand […]

The post The Easiest Con – Hacking the Human & 9 Tips to Avoid Social Engineering appeared first on Black Hills Information Security, Inc..