Phishing attacks remain the most common initial access vector for data breaches affecting small and medium-sized businesses. Yet many organisations still think of phishing as a single event — an employee clicks a bad link, and the damage is done. The reality is far more complex. A successful phishing attack unfolds across multiple carefully orchestrated stages, each building on the last, and each representing a window of opportunity where the attack can be detected and stopped.

TL;DR — Key Takeaways

  • Understand every stage of a phishing attack — from reconnaissance to data exfiltration — and learn how to interrupt the kill chain at each step
  • Understand stage 1: Reconnaissance — Choosing the Target
  • Assess stage 2: Crafting the Lure — Building a Convincing Email

Visual Overview

flowchart TD
    A["Reconnaissance"] --> B["Craft Lure"]
    B --> C["Send Phishing Email"]
    C --> D["Victim Clicks Link"]
    D --> E["Fake Login Page"]
    E --> F["Credentials Captured"]
    F --> G["Account Takeover"]

Understanding the full anatomy of a phishing attack gives your organisation a critical advantage. When you know what happens at every stage, you can deploy layered defences that catch what earlier controls miss. In this article, we walk through the complete kill chain of a phishing attack, from the attacker's first reconnaissance to the final exfiltration of your data, and show you exactly how to interrupt it at each step.

Stage 1: Reconnaissance — Choosing the Target

Every phishing attack begins long before the first email is sent. During the reconnaissance phase, attackers gather intelligence about your organisation to craft a convincing lure. This stage can last anywhere from a few hours for opportunistic campaigns to several weeks for targeted attacks.

Attackers mine publicly available information including your company website, social media profiles, LinkedIn pages, press releases, and even job postings. Job listings are particularly valuable because they reveal the technologies your organisation uses, the structure of your teams, and the names of hiring managers. LinkedIn provides a ready-made organisational chart showing who reports to whom and who handles financial decisions.

More sophisticated attackers may also search data breach databases for previously leaked credentials associated with your company domain, examine DNS records to identify your email provider, and review public filings or industry directories for partner and vendor relationships.

How to Interrupt This Stage

  • Limit public exposure: Audit what information about your organisation is publicly accessible. Remove unnecessary details from job postings, such as specific software versions or internal tool names.
  • Monitor for data leaks: Use dark web monitoring to detect if employee credentials have appeared in breach databases, giving you early warning before those credentials are exploited.
  • Educate employees about social media: Train staff to be cautious about sharing work details, reporting structures, or upcoming projects on social media platforms.

Stage 2: Crafting the Lure — Building a Convincing Email

Armed with reconnaissance intelligence, the attacker constructs a phishing email designed to bypass both technical filters and human judgement. Modern phishing emails have evolved far beyond the poorly written messages of a decade ago. Today's lures are carefully engineered to exploit trust, urgency, and authority.

The attacker selects a pretext — a believable reason for the recipient to take action. Common pretexts include a request from a senior executive to process an urgent payment, a notification that a shared document requires review, a warning that an account password is about to expire, or a fake invoice from a known vendor. The attacker then registers a lookalike domain or compromises a legitimate email account to send the message from a trusted-looking address.

The email body is crafted to mirror the tone, formatting, and branding of legitimate communications. Attackers frequently copy real email templates from the organisations they impersonate, modifying only the links or attachments. As we explain in our guide to spotting phishing emails, the visual sophistication of these messages makes them increasingly difficult to distinguish from genuine correspondence.

How to Interrupt This Stage

  • Implement email authentication: Deploy SPF, DKIM, and DMARC records to prevent domain spoofing and make it harder for attackers to impersonate your organisation.
  • Use AI-powered email filtering: Modern email security gateways analyse message content, sender reputation, embedded URLs, and behavioural patterns to detect sophisticated phishing attempts.
  • Register common typosquatting domains: Proactively register domains that closely resemble yours to prevent attackers from using them.

Stage 3: Delivery — Getting Past Your Defences

The delivery stage is where the phishing email reaches the target inbox. Attackers use various techniques to evade security filters, including sending emails from compromised legitimate accounts (which have established reputation scores), using URL redirect chains that pass through trusted domains before landing on the malicious page, embedding links in attached PDFs or Office documents rather than directly in the email body, and hosting credential harvesting pages on legitimate cloud platforms like Google Sites, Microsoft Azure, or Amazon Web Services.

Timing also plays a role. Many attackers send phishing emails early in the morning, at the end of the working day, or just before holidays — moments when recipients are more likely to act quickly without scrutinising the message carefully. Some campaigns are timed to coincide with known events, such as tax filing deadlines or software renewal periods, to make the pretext more believable.

How to Interrupt This Stage

  • Layer your email security: Do not rely on a single email filter. Combine your email provider's built-in protection with a dedicated secure email gateway for defence in depth.
  • Enable external email banners: Configure your email system to display a visible warning on messages originating from outside your organisation.
  • Quarantine suspicious attachments: Implement sandboxing for email attachments so that files are detonated in a safe environment before reaching the recipient.

Stage 4: Credential Harvesting — The Moment of Compromise

When a recipient clicks the malicious link, they are taken to a credential harvesting page — a convincing replica of a legitimate login portal. These fake pages often replicate Microsoft 365, Google Workspace, banking portals, or industry-specific SaaS applications with pixel-perfect accuracy. Some even include functioning CAPTCHA challenges and multi-step authentication flows to appear more legitimate.

The victim enters their username and password, which are captured by the attacker's server in real time. Advanced phishing kits use adversary-in-the-middle (AitM) techniques to simultaneously relay the stolen credentials to the legitimate service, capturing not only the password but also the session token generated after multi-factor authentication. This means that even organisations with MFA enabled can be compromised if the phishing kit is sophisticated enough.

After capturing the credentials, many phishing pages redirect the victim to the legitimate service, where they find themselves logged in normally. This seamless redirect means the victim often has no idea their credentials have been stolen.

How to Interrupt This Stage

  • Deploy phishing-resistant MFA: Hardware security keys (FIDO2/WebAuthn) are resistant to AitM attacks because they verify the domain of the login page, refusing to authenticate on fake sites.
  • Use browser-based phishing protection: Modern browsers and endpoint protection tools can detect and block known phishing URLs in real time.
  • Conduct regular phishing simulations: Train employees to recognise and report phishing attempts before they click, turning your workforce into an active detection layer.

Stage 5: Account Compromise and Lateral Movement

With valid credentials in hand, the attacker logs into the compromised account — typically within minutes or hours. The first actions are designed to maintain access and avoid detection. The attacker may create email forwarding rules to silently copy all incoming messages to an external address, disable or modify MFA settings, generate application-specific passwords or API tokens for persistent access, and delete any security alert emails that might warn the victim.

From the initial compromised account, attackers perform lateral movement — expanding their access across the organisation. They search the victim's email for messages containing passwords, VPN credentials, or access to other systems. They may send internal phishing emails from the compromised account to other employees, leveraging the trust associated with an internal sender. This is a technique closely related to business email compromise, where the attacker uses a trusted internal identity to authorise fraudulent transactions or extract sensitive data.

How to Interrupt This Stage

  • Monitor for suspicious sign-in activity: Configure alerts for logins from unusual locations, impossible travel scenarios (logging in from two distant locations within minutes), or new device registrations.
  • Audit mail flow rules regularly: Review email forwarding rules and delegated access permissions across all accounts to detect unauthorised changes.
  • Implement conditional access policies: Restrict access based on device compliance, location, and risk level to limit what an attacker can do even with valid credentials.

Stage 6: Data Exfiltration — The Attacker's End Goal

The final stage of the attack is data exfiltration — the extraction of valuable information from your organisation. Depending on the attacker's objectives, this may include customer databases and personally identifiable information (PII), financial records and banking details, intellectual property and trade secrets, employee records including tax information, or email archives containing sensitive business communications.

Attackers exfiltrate data through various channels, including downloading files from cloud storage, forwarding emails to external accounts, using legitimate file-sharing services to transfer large datasets, or accessing and exporting records from business applications. The exfiltration is often conducted gradually to avoid triggering data loss prevention alerts, with small batches of data transferred over days or weeks.

This stolen data may be sold on dark web marketplaces, used for further attacks, held for ransom, or leveraged for identity theft and financial fraud. In many cases, the organisation does not discover the breach for weeks or months — long after the data has been monetised.

How to Interrupt This Stage

  • Deploy data loss prevention (DLP) tools: Configure DLP policies to detect and block the transfer of sensitive data categories such as financial records, PII, or proprietary documents.
  • Monitor file access and download patterns: Track unusual spikes in file access, large downloads, or access to sensitive repositories by accounts that do not normally interact with that data.
  • Segment access to sensitive data: Apply the principle of least privilege so that compromising a single account does not grant access to your entire data estate.

Real-World Attack Timeline: How Fast It Happens

To appreciate the urgency of detection and response, consider a realistic timeline for a phishing-driven breach targeting a small business:

  1. Day 1, 8:47 AM: An accounts payable clerk receives an email appearing to come from a known vendor, asking them to verify their identity on a portal to view an updated invoice. The email passes spam filters because it is sent from a compromised legitimate account.
  2. Day 1, 8:52 AM: The clerk clicks the link and enters their Microsoft 365 credentials on a convincing fake login page. They are redirected to the real Microsoft portal and continue their day, unaware anything has happened.
  3. Day 1, 9:15 AM: The attacker logs into the clerk's account from a residential proxy IP address, making the login appear to originate from the same country. They create a hidden inbox rule forwarding all emails containing words like "payment," "invoice," "bank," and "transfer" to an external address.
  4. Day 1 - Day 3: The attacker silently monitors the clerk's email, learning about the organisation's payment processes, vendor relationships, and the names of decision-makers.
  5. Day 4: Using the clerk's compromised account, the attacker sends a phishing email to two other employees in the finance department, compromising one additional account.
  6. Day 5 - Day 8: The attacker accesses the shared finance drive, downloads customer payment records and internal banking details, and prepares a fraudulent wire transfer request.
  7. Day 9: A fraudulent payment of 47,000 pounds is authorised using a spoofed email thread that appears to come from the finance director.

In total, nine days elapsed from initial phishing email to financial loss. At several points during this timeline — the initial click, the suspicious login, the creation of mail rules, the internal phishing, the data download, and the fraudulent payment request — the attack could have been detected and stopped.

Building a Layered Defence: Interrupting the Kill Chain

The most important takeaway from understanding the anatomy of a phishing attack is that no single defence is sufficient. Each stage of the attack represents a different opportunity to detect and respond, and effective security depends on deploying overlapping controls across the entire kill chain.

Your layered defence strategy should include:

  • Prevention: Email filtering, domain authentication, phishing-resistant MFA, and employee awareness training to stop attacks before they succeed.
  • Detection: Sign-in monitoring, mail rule auditing, data access logging, and anomaly detection to identify compromises quickly when prevention fails.
  • Response: A documented incident response plan that enables your team to contain a breach rapidly — revoking compromised credentials, isolating affected accounts, and preserving evidence for investigation.
  • Recovery: Secure backups, communication plans for affected customers and partners, and a post-incident review process to strengthen your defences against future attacks.

Regular phishing simulations are one of the most effective ways to test your defences across multiple stages simultaneously. They reveal whether your email filters catch simulated attacks, whether employees recognise and report suspicious messages, and whether your incident response processes function as intended under realistic conditions.

For small businesses that may lack dedicated security teams, understanding this kill chain also helps prioritise investments. If you can only implement a few controls, focus on the stages where interruption has the greatest impact: strong email authentication to prevent delivery, phishing-resistant MFA to prevent credential harvesting, and sign-in monitoring to detect account compromise.

Phishing attacks succeed because they exploit a chain of weaknesses. By understanding every link in that chain, your organisation can build the layered defences needed to break it — stopping attackers before they reach your data, your finances, and your reputation.