Objective 2.2High Priority9 min read

Message-Based Vectors

Attack delivery mechanisms using communication channels including email, SMS text messages, and instant messaging platforms. These vectors exploit human trust in communication to deliver malicious content, links, or social engineering attacks.

Understanding Message-Based Vectors

Message-based vectors use communication channels as the delivery mechanism for attacks. Email remains the most common attack vector for both malware delivery and social engineering, but SMS and instant messaging are increasingly exploited.

Why messaging is effective for attackers: • People trust messages from known contacts • Urgency in messages bypasses careful thinking • Links and attachments are expected in business • Mobile messaging has fewer security controls • Difficult to verify sender identity

These vectors work because they exploit the fundamental purpose of messaging—to communicate and share information—turning that functionality into a security risk.

Why This Matters for the Exam

Message-based attacks are the most common initial access vector for breaches, making this a heavily tested SY0-701 topic. Questions cover attack types, delivery mechanisms, and appropriate defenses.

Understanding these vectors helps with security awareness training, email security configuration, and incident response. Most organizations face daily message-based attack attempts.

The exam tests specific terminology (smishing, vishing) and the ability to identify appropriate controls for different message-based threats.

Deep Dive

Email-Based Attacks

Email remains the primary attack vector for most organizations.

Attack Types via Email:

Phishing

  • Fraudulent emails impersonating trusted entities
  • Goal: Steal credentials, deliver malware, or manipulate actions
  • Mass targeting (spray and pray) or targeted (spear phishing)

Malicious Attachments

  • Documents with macros (Word, Excel)
  • Executable files (.exe, .scr, .bat)
  • Archive files (.zip, .rar) containing malware
  • PDF files with embedded scripts

Malicious Links

  • Links to credential harvesting sites
  • Links to malware downloads
  • Shortened URLs hiding true destination
  • Lookalike domains (typosquatting)

Business Email Compromise (BEC)

  • Impersonating executives or vendors
  • Requesting wire transfers or sensitive data
  • Often no malware—pure social engineering
  • Account takeover or spoofing

Email Attack Indicators:

IndicatorWhat to Look For
Sender addressMisspellings, wrong domain
Urgency"Act now," "Immediate action required"
Generic greeting"Dear customer" instead of name
LinksHover to check actual URL
AttachmentsUnexpected files, macro warnings
RequestUnusual asks (wire transfer, credentials)

SMS-Based Attacks (Smishing)

SMS phishing combining text messaging with social engineering.

Why SMS Is Effective:

  • Higher open rate than email (98% vs 20%)
  • Shorter format limits scrutiny
  • Mobile devices have smaller screens
  • Fewer security controls on mobile
  • Phone numbers feel personal/trusted

Common Smishing Scenarios:

  • Fake bank alerts ("Suspicious activity detected")
  • Package delivery notifications
  • Account verification requests
  • Prize/lottery notifications
  • Government impersonation (IRS, SSA)

Smishing Techniques:

  • Shortened URLs (can't see destination)
  • Urgent language demanding immediate action
  • Phone numbers to call (vishing follow-up)
  • Reply with personal information

Instant Messaging Attacks

Attacks through platforms like Slack, Teams, WhatsApp, Discord, etc.

Attack Methods:

  • Malicious links shared in channels
  • File sharing with malware
  • Account impersonation
  • Social engineering via chat
  • Exploitation of link previews

Why IM Is Vulnerable:

  • Real-time nature encourages quick responses
  • Trust within team/organization channels
  • Integration with other services
  • File sharing capabilities
  • Less scrutiny than formal email

Enterprise IM Risks (Slack, Teams):

  • Compromised accounts post to internal channels
  • External guest access abuse
  • Malicious app integrations
  • Data exfiltration via shared files

Defenses Against Message-Based Attacks

Technical Controls:

ControlProtection
Email filteringBlocks known malicious content
Spam filtersReduces attack volume
URL filteringBlocks malicious links
Attachment sandboxingAnalyzes files safely
DMARC/DKIM/SPFEmail authentication
MFAProtects if credentials stolen

Administrative Controls:

  • Security awareness training
  • Phishing simulations
  • Clear reporting procedures
  • Verification policies for sensitive requests

User Actions:

  • Verify sender identity
  • Hover over links before clicking
  • Don't enable macros unexpectedly
  • Report suspicious messages
  • Call back on known numbers

How CompTIA Tests This

Example Analysis

Scenario: An employee receives an SMS claiming to be from their bank: "ALERT: Unusual activity detected on your account. Verify your identity immediately: bit.ly/bk-verify"

Analysis - This is Smishing:

Red Flags:SMS from "bank" — Banks typically don't send verification links via SMS • Urgency — "Immediately" pressures quick action • Shortened URL — Hides actual destination • Generic — No specific account details • Unexpected — User didn't initiate contact

Attack Goals: • Credential harvesting (fake login page) • Personal information theft • Potential malware download

Correct Response: • Don't click the link • Don't call numbers in the message • Contact bank directly using known number • Report to security team • Delete the message

Key insight: Legitimate organizations don't send urgent verification links via SMS. Always verify through official channels, not through links/numbers in the message.

Key Terms to Know

message-based vectorsemail attacksphishingSMS attackssmishinginstant messaging malwaremalicious attachmentsspam

Common Mistakes to Avoid

Thinking only email matters—SMS (smishing) and instant messaging attacks are increasingly common and often have fewer defenses.
Trusting internal messaging platforms—compromised accounts can post malicious content in trusted channels.
Assuming spam filters catch everything—targeted attacks often bypass filters because they're crafted to avoid detection.
Ignoring mobile messaging security—mobile devices often lack the security controls present on corporate email.

Exam Tips

Email = Most common attack vector. Know phishing, malicious attachments, and BEC.
Smishing = SMS phishing. Higher open rates than email, fewer controls.
BEC = Business Email Compromise. Often no malware, just social engineering for wire transfers.
DMARC/DKIM/SPF = Email authentication protocols that verify sender legitimacy.
Training + technical controls = Defense in depth for message-based attacks.

Memory Trick

"EIS" - Message Vector Channels

  • Email (most common, most controls)
  • Instant Messaging (real-time, trusted channels)
  • SMS/Text (high open rate, fewer controls)
  • Attack Type Memory:
  • Phishing = Email (with an 'i' like email)
  • Smishing = SMS (SMS + phishing)
  • Vishing = Voice (Voice + phishing)
  • Email Defense Stack:
  • "SAD MFA"
  • SPF (sender verification)
  • Attachment sandboxing
  • DMARC/DKIM (email authentication)
  • MFA (protect if credentials stolen)
  • Filtering (URL and content)
  • Awareness training

Test Your Knowledge

Q1.An employee receives a text message claiming their package delivery failed and provides a link to reschedule. This is an example of:

Q2.Which email authentication protocol helps prevent sender spoofing by allowing domain owners to specify which servers can send email on their behalf?

Q3.What makes Business Email Compromise (BEC) particularly dangerous compared to traditional phishing?

Want more practice with instant AI feedback?

Practice with AI

Continue Learning

Social Engineering TechniquesFile and Media Vectors

Ready to test your knowledge?

Practice questions on message-based vectors and other Objective 2.2 concepts.

Start Practice
Back to Domain 2File and Media Vectors