Read as
Last updated: April 29, 2026
Phishing infrastructure, HTML smuggling, password spray, OAuth consent, and exposed-service exploitation.
Initial access is how you get the first foothold: a user clicking your phishing link, a password spray landing on a weak account, an exposed service with a known CVE. For most red teams in 2026, initial access is still phishing. This module covers phishing infrastructure, payload delivery, and the alternatives when phishing fails.
The initial access menu in 2026
- Phishing: macro-enabled documents are dead, but HTML smuggling, container files (ISO, VHD, IMG), LNK with embedded payloads, and OAuth consent phishing all work
- Credential stuffing: leaked credentials from breaches reused at your target. Especially productive against external auth portals (VPN, Citrix, Exchange OWA)
- Password spray: single password (Season2026!, Company@2026) tried against every account. Slow enough to avoid lockouts
- Exposed services: vulnerable externally-reachable software. Confluence, Exchange, ManageEngine, old VPN appliances
- OAuth/consent phishing: tricking users into granting a malicious app permissions to their M365 account. Sidesteps MFA
- Supply chain: compromise a vendor who has access. Usually off-scope for red team engagements but worth naming
- Physical / drop attacks: USB drops, rogue access point, badge cloning
Want this for your team?
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.
Book team training call
Replies in 4 working hrs · India-only · Senior consultants