Attack Campaigns Distribution

EFI supports multiple distribution methods and execution modes for email attack simulations, allowing security teams to tailor campaigns based on the level of control, visibility, and risk they wish to emulate.

Unattended Attack Campaign

The Unattended Attack Campaign mode is used for sending emulated threats without embedding the EVE agent in the payload. This means the system does not collect telemetry about what happens after delivery, even though the payload may still be downloaded, opened, or executed by the user.

  • No endpoint telemetry: Since the campaign does not include the EVE agent, the platform will not track post-delivery activity (e.g., opens, clicks, execution).

  • Validates delivery and SEG filtering: Useful to verify whether emails are delivered, blocked, or quarantined by Secure Email Gateways (SEG) or spam filters.

  • Payloads may still execute: If the user interacts with the email (downloads or opens a file), the payload can execute, but EFI will not capture this behavior.

  • Basic validation approach: Focused on verifying the email pipeline and pre-endpoint controls, not user behavior or endpoint response.

Realistic and Controlled Attack Campaigns

Realistic and Controlled Attack Campaigns simulate adversarial behavior in a safe, observable, and fully instrumented way. These campaigns embed a lightweight version of the EVE agent into the payload, allowing the platform to capture full telemetry from delivery to execution, providing end-to-end visibility of the attack flow.

  • End-to-end telemetry: Tracks every stage of the attack: email delivery, open events, file downloads, payload execution, and endpoint response.

  • Agent-assisted observation: The embedded EVE agent collects data on user interaction and system behavior after the payload reaches the endpoint.

  • Controlled and safe: Payloads are synthetic (non-malicious) and behave like real malware without posing any risk to the environment.

  • Validates multiple layers: Enables validation of Secure Email Gateway (SEG), endpoint protection (EDR/AV), and user interaction all in a single flow.

  • Adversarial simulation: Designed to closely mimic real-world phishing, spoofing, and malware delivery campaigns.

Broadcast

The Broadcast method defines how the simulated threat (synthetic payload) is delivered to the target user. EFI supports three broadcast types: Link Email QR Code

Despite the differences in presentation, all three broadcast types ultimately rely on the same underlying mechanism: a generated attacker URL.

During the build phase of a campaign, EFI automatically generates a unique attacker link. This URL serves as the delivery point for the synthetic payload. Depending on the broadcast method selected, this link is:

  • Embedded into buttons or hyperlinks in a simulated phishing email (Email)

  • Presented directly to the user (Link)

  • Encoded into a scannable QR code (QR Code)

Regardless of format, all three methods point to the same EFI-generated URL, which acts as the payload delivery method.

Payload Delivery and Telemetry

Once the user clicks the link or scans the QR code:

  1. The payload (synthetic file) is downloaded to the endpoint.

  2. If telemetry is enabled (Controlled mode), the platform captures:

    • The click event

    • The file download

    • Any subsequent execution.

  3. This information is reported back to EFI, allowing visibility into the interaction and response.

In Unattended mode, EFI records only the click and download, without further telemetry.

Last updated