Initial access is how you get the first foothold: a user clicking your phishing link, a password spray landing on a weak account, an exposed service with a known CVE. For most red teams in 2026, initial access is still phishing. This module covers phishing infrastructure, payload delivery, and the alternatives when phishing fails.

The initial access menu in 2026

Phishing: macro-enabled documents are dead, but HTML smuggling, container files (ISO, VHD, IMG), LNK with embedded payloads, and OAuth consent phishing all work
Credential stuffing: leaked credentials from breaches reused at your target. Especially productive against external auth portals (VPN, Citrix, Exchange OWA)
Password spray: single password (Season2026!, Company@2026) tried against every account. Slow enough to avoid lockouts
Exposed services: vulnerable externally-reachable software. Confluence, Exchange, ManageEngine, old VPN appliances
OAuth/consent phishing: tricking users into granting a malicious app permissions to their M365 account. Sidesteps MFA
Supply chain: compromise a vendor who has access. Usually off-scope for red team engagements but worth naming
Physical / drop attacks: USB drops, rogue access point, badge cloning

Phishing infrastructure

Minimum viable phishing setup:

Domain: an “aged” domain with reputation — 6+ months of passive existence, some benign web content. Freshly-registered domains are blocked by modern email security
Sending infrastructure: SPF, DKIM, DMARC correctly set up (so you pass authentication). Warm up the IP gradually
Payload delivery: link to your site, which serves HTML that delivers the payload — direct attachments are scanned hard
Redirector tier: cheap VPSes that proxy to your backend C2. Lose a redirector, rotate quickly
TLS: Let’s Encrypt works but shorter validity. Reputable TLS signals “legitimate” to scanners
Tracking: unique URL per target; log who clicked, what User-Agent, whether they entered credentials

Payload options for 2026

Microsoft disabled VBA macros from internet-sourced docs by default in 2022. Payload delivery shifted:

HTML smuggling: JavaScript in a web page assembles a binary client-side and triggers download. Bypasses gateway AV that inspects HTTP transfers
ISO / IMG / VHD containers: Mark-of-the-Web was not propagating through these until recently — still works against unpatched Windows
LNK files: shortcut files with an embedded PowerShell or cmd.exe command. In a ZIP or ISO to survive email transit
Browser-in-browser (BITB): phishing login pages that look like OS-native auth prompts. Effective against M365 users
OAuth consent: the attacker registers an app asking for Mail.Read, Files.Read.All. User consents, attacker has persistent access. No credential theft needed

A phishing example — end to end

Register domain invoice-staging.com 6 months ago; park with static content
Configure Mailgun or self-hosted Postfix on a VPS; SPF/DKIM/DMARC published
Recon target via LinkedIn; build list of 30 target emails
Pretext: “Your Q1 invoice requires action” — tailored to the target’s industry
Email links to https://invoice-staging.com/view?id=unique-per-target
Landing page serves an HTML-smuggling payload that assembles a ZIP client-side
ZIP contains an LNK that launches a PowerShell stager
Stager downloads an in-memory Cobalt Strike beacon from your redirector
Beacon calls back to your team server
You now have initial access on one endpoint

Password spray — the quiet option

Password spray avoids lockouts by trying one password across many accounts. Effective when the organisation uses default passwords, seasonal passwords, or has no MFA on public auth portals.

# MSOLSpray — Azure/M365 password spray
msolspray users.txt 'Spring2026!'

# Spray at a realistic pace: 1 attempt per account per hour, during business hours
# Smart-lockout thresholds at most orgs don't trigger at this pace

Build the user list from OSINT: LinkedIn scraping, email format inferencing (firstname.lastname@company.com), harvesting from breach data.

OAuth consent phishing

🔐 Intermediate Module · Basic Tier

Continue reading with Basic tier (₹499/month)

You've read 27% of this module. Unlock the remaining deep-dive, quiz, and every other Intermediate module.

99+ modulesAll levels up to this tier

20-question quizzesUnlimited retries with explanations

Completion certificatesShareable on LinkedIn

See pricing → Sign in

5 more sections locked below

Module 2 · Initial Access — Phishing & Beyond 🔒

The initial access menu in 2026

Phishing infrastructure

Payload options for 2026

A phishing example — end to end

Password spray — the quiet option

OAuth consent phishing

Continue reading with Basic tier (₹499/month)

Other modules in this track

Module 5 · Evading Modern EDR <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>

Module 1 · Red Team Operations Fundamentals <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>

Module 4 · Lateral Movement & Persistence <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>