Attack Templates

The statistic for recipients opening the email is based on a tracking image embedded within the email. However, many email clients block the automatic download of images, which can make this number less accurate.

Lucy provides a suite of features designed to enhance your understanding of user behavior and system security when interacting with simulated phishing tests. Each option delves into different aspects of the recipient's environment, from browser configurations to network connections, offering valuable insights for cybersecurity awareness and training.

1. Browser Details: This tracks specific details about the browser the recipient is using, such as the browser type, version, and any associated browser extensions. Understanding the browser details can help identify potential security weaknesses or confirm if the browser is up-to-date and configured with security best practices.

2. Firebug Information: Firebug is a popular web development tool. If a user has Firebug installed, it could potentially be used to debug or modify webpages. Tracking whether Firebug or similar tools are present can reveal if there's an increased risk of web-based threats or attacks.

3. Popup Blocker: This checks if the user’s browser is configured to block popup windows. Popups are often used in phishing attacks to deliver malicious content, so knowing whether popup blockers are active can be indicative of the user's level of vulnerability.

4. Geo Location: By determining the geographic location of the user, the organization can assess if there are access patterns from unusual locations that could indicate compromised credentials or other security issues.

5. Social Network: This feature checks for active connections to social networks from the user’s browser. Given that social networks can be platforms for phishing and malware distribution, awareness of such activity can be crucial for understanding the social media risk landscape.

6. Proxy: Identifying whether the user is connected to the internet via a proxy can be important for security. Proxy usage can obscure the true IP address, which could either be a legitimate privacy measure or a method to hide malicious activity.

Send link to Awareness Website Automatically via Email:

This feature dispatches a link to the Awareness Website to a user immediately after they've fallen for a simulated attack. For this functionality to operate correctly, the Awareness Website must be active and published.

Send Awareness By Click Rate

This feature allows you to set a threshold for historical click rate that triggers the sending of an awareness email. For instance, setting it at 50% means a user will receive an awareness email only if they have clicked on at least half of the links presented in previous phishing simulations.

Send Awareness By Success Rate

Similarly, the success rate determines the rollout of awareness training but is based on different successful interactions, not just link clicks, to initiate the e-learning process.

Awareness Delay

Within LUCY, you have the option to set a delay for sending the automated awareness email. This delay ensures that individuals within the same office aren't notified simultaneously about the occurrence of a phishing simulation, which can prevent immediate cross-talk and maintain the integrity of the test environment.

This setting in LUCY determines what is considered a successful attack and subsequently triggers the start of eLearning.

There are four options available for defining success actions. Each option specifies the condition under which eLearning is initiated. For instance, if you select "data submit" as the success action, eLearning will only begin once the user enters data and submits it on a landing page.

Click: triggered when the user clicks on the link in the email.

Data Submit: triggered when the user enters data and submits it on a landing page of the attack.

File Download: triggered when the user clicks on the file download button on the landing page.

File Data Received: triggered when the user executes the file and Lucy received the dummy data.

Collected data encompasses information gathered from web-based phishing simulations, including credentials entered on a fake login page or data transmitted to LUCY from simulated document macros activated by users.

When employing the Double Barrel Attack, the system initially dispatches a "Lure" email with teaser text. Subsequently, the system pauses for a specified duration before sending the actual phishing email. This advanced strategy involves the "Lure" potentially impersonating a known authority figure within your organization, who then endorses the follow-up attack simulation as bait.

The delay for the "Lure" defines, in seconds, the interval between the "Lure" and attack emails for a Double-Barrel Attack.

Another option involves defining login filters to exclusively capture valid logins. For instance, you could specify the domain name in the User Name field or stipulate that passwords must be at least 8 characters long to be accepted by LUCY.

If you wish to validate logins and passwords using regular expressions (via the "Login Regexp" and "Password Regexp" fields in Scenario Settings), please ensure that the login field is named "Login" and the password field is named "Password".

Lucy incorporates a built-in internal mail server (Postfix) as its default method for email delivery. This approach is straightforward and often used due to its direct integration within Lucy. To enhance delivery success, it's advisable to align the server's name with Lucy's Fully Qualified Domain Name (FQDN), potentially using a subdomain designated for mail purposes.

Lucy allows the configuration of an external SMTP server via its general settings. This is particularly useful when aiming to circumvent spam filters that may block emails from new or untrusted IP addresses. Setting up involves adding your mail server details under "Settings -> Common System Settings -> SMTP Servers"; followed by a connection test to ensure proper setup.

This option is ideal if you already have an SSL certificate chain from a trusted certificate authority or if you would like to generate a self-signed certificate.

Option 1: Generate a self-signed Certificate

1. Domain: Enter the domain name for which you want to generate the SSL certificate (e.g., thrivedx.help).

2. Email: Provide a valid email address. This is where Let's Encrypt will send notifications about your certificate, such as renewal reminders.

3. Details: Fill in the Country, State, City, Organization Name, and Organizational Unit. These details are often used in the certificate's subject field and can be important for organizational certificates.

4. Generate: Click on the "Generate Certificate" button to create your self-signed certificate.

Option 2: Upload an Existing Certificate

1. SSL Certificate: Click "Choose File" to browse and select your existing certificate file (usually a .crt or .pem file).

2. SSL Key: Click "Choose File" to upload the private key file associated with your SSL certificate (this is a .key file and must be kept secure).

3. SSL Key Password: If your private key is password-protected, enter the password here.

4. SSL Chain: Click "Choose File" to upload the chain file (also known as the CA bundle or intermediate certificate) if required. This is needed for browsers to trust your certificate by establishing a chain of trust to a root certificate.

5. Wildcard: If you are uploading a wildcard certificate, you would check the "Wildcard" box. Wildcard certificates secure a domain and all its subdomains (e.g., *.example.com).

Our default method, designed for maximum user-friendliness, enables your Lucy server to automatically generate a Certificate Signing Request (CSR) through the integrated Let's Encrypt API. It then submits this request to Let's Encrypt and automatically installs the full certificate chain on your Lucy server.

This process may take up to 5 minutes to complete. Please wait for the "certificate successfully generated" notification before proceeding further.

The Code Mirror Editor is geared towards users with coding expertise. It provides a code-highlighting text editor for direct HTML and CSS manipulation, offering granular control over the content's appearance and structure.

Set custom SMTP headers to meet specific needs. For example, you can add a custom email header to help your SPAM gateway distinguish between actual SPAM and emails sent from LUCY.

• Send emails as plain text.

• Random Email:

  LUCY will generate a random email account with a random sender. The email account will be deleted after the campaign ends.

If you want to catch email replies from your awareness email, LUCY provides two options:

1. Define a Reply-to Header:

   • The Reply-to address is where email replies are directed, rather than the 'From' address. This is useful if the 'From' address cannot receive replies, for example, if you do not control the domain or lack a mail server setup for it. For instance, if the email shows as being sent from "[email protected]" and the recipient clicks reply, the email will be directed to the Reply-to address set in the header, such as "[email protected]". Choose a Reply-to address you have access to.

2. Define a Forward Mail:

   • LUCY can forward incoming replies to a specified email address. This requires setting a DNS entry (MX record) for the sender’s domain that points to LUCY. For example, if you send emails from "[email protected]" and LUCY's IP is 201.35.77.12, you need an MX record like "phishing-test.com MX 10 201.35.77.12". Enter your own custom mail address in the forward mail field (e.g., "[email protected]"). When someone replies to "[email protected]", LUCY receives the email and forwards it to "[email protected]". Note that many registration services offer free mail/DNS packages, allowing you to set up an email forwarder directly at the domain level, eliminating the need for LUCY’s forwarding feature.

DKIM Overview:

DomainKeys Identified Mail (DKIM) enhances email security by attaching a domain name identifier to a message, utilizing cryptographic techniques to validate authorization. This identifier is separate from other message identifiers such as the author's "From" field. DKIM effectively 'signs' emails to verify their origin, helping to identify and prevent spoofed emails. The process involves the sending mail server signing the email with a private key, while the receiving server uses a public key listed in the domain's DNS to verify the signature. Each domain can list multiple DKIM keys in its DNS, but each private key is unique to one mail server.

Setting Up DKIM in LUCY:

1. Enable DKIM:

   • Navigate to "Advanced Email Settings" in the message template of your Attack Scenario. Enable DKIM support and save the changes. A DKIM information box will then appear.

2. DNS Configuration:

   • Copy the provided key and create the corresponding DNS entry. Here’s an example of how to set it up with namecheap.com:

Name: selector._domainkey
Type: TXT
Value: "v=DKIM1; k=rsa; p=[YOUR_PUBLIC_KEY]"

Validate DKIM Setup:

• To confirm your DKIM is working, add an email from a service like dkimvalidator.com to your DKIM test recipient group. Launch the campaign targeting this group, then check the results at dkimvalidator.com. If configured correctly, your setup should match the expected status.

DKIM Header Details: The DKIM signature is added to emails as an RFC2822 header field. Here's a breakdown of the common fields in a DKIM signature:

• b: Digital signature of the email's contents.

• bh: Hash of the email body.

• d: Signing domain.

• s: Selector used for the DKIM signature.

• a: Signing algorithm, typically rsa-sha1.

• c: Canonicalization algorithm for the header and body.

• q: Default query method, usually DNS.

• t: Timestamp of when the email was signed.

• x: Expiry time of the signature.

• h: List of header fields that were signed.

This setup ensures that emails sent through LUCY's mail server are authenticated, boosting trust and security for your email campaigns.