When we talk about phishing, many people still imagine those clumsy emails full of mistakes and easy to trash. The truth, however, is that the attacks that really hurt look nothing like that stuff. They are surgical, credible, and built piece by piece using only public information. And yes, you read that correctly: public.
“We haven’t had any leaks”: a myth that dies hard
During post‑incident analyses, there’s a phrase I hear far too often: “We’ve never had a data breach.” Maybe it’s true. But often, it doesn’t matter.
Attackers don’t need you to have lost data: they just need you to have published enough of it over time. Corporate websites, PDFs, job postings, LinkedIn, PEC addresses, document metadata, suppliers mentioned in footers… all perfect material to reconstruct your ecosystem.
What is normal corporate communication for you is a half‑completed puzzle for a hostile actor.
How an attack is born: not from an email, but from a map
Effective phishing doesn’t start with a click, but with reconnaissance. Always.
An OSINT analyst pieces fragments together and rebuilds the company as a consultant studying it from the outside would:
- who does what,
- who handles money, HR, IT,
- suppliers,
- the way you communicate,
- the tools you use every day.
The power isn’t in individual pieces of information, but in their correlation. And that’s where a trivial message becomes credible.
Why targeted phishing works so well
Generic attacks rely on distraction. Targeted ones rely on coherence.
If you receive an email mentioning a real supplier, a real deadline, or a person you actually know, your brain doesn’t raise defenses: it simply continues an already ongoing flow.
And that is exactly what the attacker wants.
Often they aren’t even trying to steal credentials immediately. They want a reply, a conversation, a foothold. From there, they adapt and continue.
The invisible importance of public documents
The documents we publish ourselves are often extremely fertile ground:
- real signatures,
- internal formats,
- references to processes,
- names of applications,
- direct email addresses.
For you, they are official communications.
For an attacker, they are perfect templates to start from.
OSINT + Social Engineering = an evolving campaign
Targeted phishing is not a single strike: it’s an evolving campaign.
Every useful piece of information — even a simple “out of office” — becomes part of the puzzle.
In the end, you’re not fighting an email, but an information process.
Why technology alone isn’t enough
SPF, DKIM, DMARC, filters, and MFA all help. Of course.
But they aren’t designed to block messages that perfectly imitate normality.
Many attacks don’t violate technical rules. They violate people’s expectations.
And if you don’t have visibility into what your company exposes, you end up looking for the problem in the wrong place.
What this means for companies
Targeted OSINT‑based phishing doesn’t originate from a major flaw, but from a thousand small public traces accumulated over time.
That’s why continuous processes are needed, not spot checks.
Tools such as:
- brand protection and domain monitoring (look‑alike, homograph, suspicious subdomains),
- VIP profile monitoring (not for privacy, but for security),
- Threat and Cyber Security Intelligence, which identifies weak signals and campaigns in preparation, not just attacks in progress.
And then there are people. It’s no longer enough to recognize the “suspicious email.”
The most effective attacks don’t look suspicious: they look normal.
The weak link isn’t the click itself, but the lack of awareness about what the company exposes about itself — often without realizing it.
Analysis by Vasily Kononov – Threat Intelligence Lead, CYBEROO
