How a Multi-Stage Cyber-Attack Works

Multi-stage, or hit-and-run attacks, are a common way that cyber criminals approach their victims. And, increasingly, complex organisations are the targets.

First Published 26th May 2020

How a Multi-Stage Cyber-Attack Works

Well-designed attacks come in waves.

4 min read  |  Reflare Research Team

Many sophisticated cyber-attacks have multiple stages.

What many regular people don’t realize is that this is often also true for attacks targeting them. In this briefing, we will construct a hypothetical attack scenario. It is explicitly not recounting an actual attack (albeit it is quite likely that someone is executing such an attack right now) but building a scenario to illustrate how multi-stage attacks may affect you.

Stage 1: A data breach

Data breaches often form the basis of attacks against end-users. The data gleaned from them can provide email addresses, names, and other contextual information. For example, the recent Easyjet breach saw varying amounts of data belonging to nine million users get exposed. While a minority of users had their credit card information accessed, the majority only seem to have had less critical information affected.

The context: A pandemic

Since the COVID-19 pandemic is the central event in most people’s lives at this point in time, many attackers will choose to use it in their schemes. From scam emails claiming to be from the WHO to phone calls claiming to offer government assistance, the panic caused by COVID-19 leaves a lot of openings for attackers to exploit.

According to Google, their email systems alone are blocking 18 million COVID-19 related scam emails every single day.

Stage 2: A phishing scam

Now an attacker will look for ways to tie the information gathered in stage 1 into the current context to maximize the success of a stage 2 attack. For example, phishing attacks are much more successful when they contain information that is specific to the user and has some sort of emotional impact.

Many people with booked flights later in the year are currently uncertain if their flights will be cancelled. Airlines are currently sending out legitimate emails every week informing customers that their flights are cancelled, confirmed, or still undecided. An attacker with access to a large set of email addresses, names, and flight data can easily tie all of this together for a highly efficient phishing attack.

For example, they could generate emails containing the victim’s real name and flight details and letting them know that updates on their flight status are available if they log in through a prepared link. Such an attack can be used to steal credentials which are then leveraged in a third stage.

Alternatively, users may be offered “flight insurance” at a seemingly great value. “Pay $25 now and if your flight gets canceled, we will refund you 300% of the flight value.” Users can then either be charged directly for the stated amount or the credit card details can be saved for a stage 3 attack.

The possibilities are endless and while most users are at this point able to detect an untargeted phishing scam, targeted attacks have success rates that can reach in excess of 50%. At 9 million potential targets, there is an impressive amount of money potentially to be made.


Multi-stage cyber attacks are the norm in corporate or governmental environments where hurdles are high. However, they are also increasingly deployed against regular users. This briefing is meant to act only as an example. Real-world attacks will always depend on what data can be gathered from the first stage and what the current context is.

Subscribe by email