Red Teaming the Adversary: Detecting Weaponized Infrastructure Before the First Phish

Written By Eric Gonzales

As Penetration Testers, we spend a lot of time simulating the adversary. We buy look-alike domains, we warm up IP addresses, and we craft phishing templates. We do this to test if the client's defenses can stop a hypothetical attack.

But what if you didn't have to simulate? What if you could see the infrastructure that the real adversary is building right now, before they even launch their first email?

This is the difference between "Typosquatting" and Pre-Staged Adversary Infrastructure. Most tools stop at finding similar names. To provide real value, we need to detect intent.

The Architecture of a Trap

To understand why standard reconnaissance often fails, let’s look at the infrastructure like a busy financial district.

1. The Legitimate Headquarters (The Client)

This is the real company.com. It has security guards, vault doors, and trusted tellers. Customers know this location and trust it with their credentials.

2. The Vacant Lot (The Typosquat)

This is an empty plot of land at c0mpany.com or company-login.com. Someone has registered it because it looks confusingly similar to the HQ.

  • The Problem: Most security tools stop here. They flag it as a "potential squatter" or a "parked domain." It generates noise, but no urgency.

3. The Fake Pop-Up Branch (The Weaponization)

This is where the threat becomes real. The adversary hasn't just bought the land; they have built a functional replica of the bank.

  • The Fake ATM: They have set up a website that looks 100% identical to the client’s real login portal.

  • The Mail Slot: They have activated MX Records, meaning this fake building can now officially send and receive mail.

The doors aren't open yet. The attack hasn't happened. But the infrastructure is fully built. Detecting this layer is about detecting the capability before the strike.

The Attack Chain: From Setup to Harvest

An attacker uses this pre-staged infrastructure to execute sophisticated Credential Harvesting and Business Email Compromise (BEC) campaigns.

Phase 1: Procurement (The Foundation). The attacker uses automated tools to find available domains (bit flipping, omoglyphs). They register them anonymously and, importantly, set MX records to enable email sending.

Phase 2: Cloning (The Construction) Using tools like Evilginx2 or Gophish, they clone the target's actual login page (Microsoft 365, Okta, VPN). They acquire a free, valid SSL certificate (from Let's Encrypt) so the fake site displays the "secure padlock," thereby establishing false trust.

Phase 3: The Lure & Harvest (The Theft) They send emails from security@c0mpany.com. Because they own the domain and configured the DNS correctly, these emails often pass SPF and DMARC checks. The victim clicks, sees a perfect replica, and enters their credentials. The attacker captures them and immediately redirects the user to the real site to avoid suspicion.

The Chain of Impact

Uncovering pre-staged infrastructure is critical because it is the launchpad for high-impact scenarios:

  • MFA Bypass: Advanced "reverse proxy" kits capture the 2FA code in real-time.

  • Business Email Compromise (BEC): Using the weaponized domain to pose as executives (CEO fraud).

  • Malware Delivery: Hosting fake "browser updates" that install infostealers.

The "Why" for Pen Testers: Validated Threat Intelligence

"We let you 'Red Team' the adversary."

For a Penetration Tester, ThreatNG moves the engagement from "hypothetical risk" to "imminent threat."

  • Infrastructure Validation: We filter the noise. Finding a typosquat is easy. Finding a typosquat with Active MX Records and Cloned Content is finding a loaded gun. We separate the "Squatters" from the "Phishers."

  • Predictive Defense: We detect the setup phase. We give you the chance to tell the client, "We found a fake login portal being built at corp-login-secure.com," so they can block it globally before it goes live.

  • Safe Reconnaissance: We analyze the hosted content automatically. If we see a login form or specific brand keywords on a domain the client doesn't own, we flag it as "High Risk," giving you visual proof without putting your analysts at risk.

Ask Yourself:

  • "Do my current tools differentiate between a 'Parked' domain and a 'Weaponized' domain with active mail servers?"

  • "Can I identify if an adversary has already pre-staged a campaign against us?"

  • "Am I testing the client's defenses against the actual hostile infrastructure targeting them right now?"

Stop just simulating the attack. Start finding the people who are actually planning one.

Eric Gonzales
Next

From Black Box to White Box: Weaponizing Developer Breadcrumbs