percorso: Home

Delivery phase in the Kill Chain



The Delivery Phase in the Cyber Kill Chain: How Attacks Reach Their Targets

In cybersecurity, understanding how threats move from planning to execution is essential. The Cyber Kill Chain, developed by Lockheed Martin, remains one of the most valuable frameworks for identifying, analyzing, and stopping cyberattacks before they cause harm. It divides an attack into seven phases — Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, and Actions on Objectives.

Among these, the Delivery phase serves as the crucial bridge between preparation and action. It’s the point where an attacker takes the weaponized payload — created in the previous stage — and sends it to the target system. For defenders, understanding this step is vital because it’s often the last chance to intercept a threat before exploitation begins.

What Is the Delivery Phase?

The Delivery phase is all about transmitting the malicious payload to its target. In other words, it’s how the attack physically arrives. This can occur through several channels, both technical and human. Common delivery vectors include:

  • Phishing emails containing malicious attachments or links
  • Drive-by downloads from compromised websites
  • Removable media such as infected USB drives
  • Exploited network services (e.g., open ports or misconfigured servers)
  • Social engineering that tricks victims into executing a malicious file

Attackers choose their delivery method based on reconnaissance findings — how the target communicates, what software is used, and which entry points appear weakest.

In short, if the Weaponization phase builds the cyber weapon, the Delivery phase is how that weapon is launched.

How the Delivery Phase Works

The delivery process often begins with social engineering — manipulating human behavior to bypass technical defenses. For example, an attacker might send a well-crafted email appearing to come from a trusted contact or a legitimate company. The message may ask the recipient to open an invoice, download a report, or click a link to reset a password.

Behind that innocent-looking request lies the weaponized payload — perhaps a malicious macro, a hidden script, or a remote access trojan (RAT). Once the user interacts with the file or link, the next phase, Exploitation, begins, triggering code execution and compromising the system.

In more advanced attacks, the delivery vector might be automated. For example, compromised websites can host malicious JavaScript or exploit kits that automatically deliver malware when a user visits them. In other cases, attackers use watering-hole attacks, infecting websites frequently visited by employees of a specific organization to increase the chance of compromise.

Common Delivery Methods

Phishing and Spear-Phishing Emails
Still the most common delivery technique worldwide, phishing campaigns are designed to deceive users. Spear-phishing, a targeted form, personalizes messages to increase success rates.

Malicious Attachments
Files like PDFs, Office documents, or compressed archives (.zip, .rar) may hide scripts or macros that execute upon opening. Attackers often disguise them as business documents, HR forms, or invoices.

Malicious URLs
Instead of attachments, some emails or messages include links that redirect to compromised or fake websites hosting malware.

Exploiting Network Services
Attackers can deliver payloads directly through vulnerabilities in exposed applications or unpatched servers, bypassing human interaction altogether.

Removable Media
The classic “infected USB” method still works. It relies on curiosity or convenience — users plugging an unknown device into their computer without realizing the danger.

Detecting and Preventing Delivery Attacks

Because delivery is a visible stage — data must physically reach the target — defenders have multiple opportunities to detect and block it. Effective countermeasures include:

Email Security Gateways
Modern email filters scan attachments and links in real time using signature analysis, sandboxing, and heuristic detection. They’re the first barrier against phishing-based delivery.

Web Filtering and DNS Protection
Blocking known malicious domains or IP addresses prevents users from visiting dangerous websites, reducing drive-by infection risks.

Endpoint Detection and Response (EDR)
EDR tools monitor endpoint behavior to identify suspicious file downloads or execution patterns associated with malicious delivery.

User Awareness Training
Since many delivery attempts rely on human error, ongoing cybersecurity training is essential. Employees should learn to spot phishing emails, check sender authenticity, and avoid clicking unknown links.

Patch Management and Hardening
Reducing the number of exploitable vulnerabilities limits the success rate of automated or network-based delivery methods.

Delivery in Ethical Hacking and Penetration Testing

For ethical hackers and penetration testers, simulating the delivery phase is a controlled, educational exercise. The goal is to test how well an organization’s defenses handle realistic attack scenarios.

During authorized tests, penetration testers might send harmless simulated phishing emails or create benign payloads using tools like Metasploit or MSFVenom. These payloads are designed to demonstrate the delivery process without causing real damage. The results help identify weak spots in email filtering, endpoint protection, and human behavior.

By understanding the delivery mechanisms, defenders can fine-tune their incident response procedures and patch vulnerabilities before real attackers exploit them.

Real-World Example of Delivery

A well-known example is the Emotet malware campaign. It began with phishing emails that looked like legitimate financial notifications. Once the victim opened the attachment, the malicious document downloaded a payload that spread laterally through the network. Emotet then delivered additional malware like ransomware — demonstrating how powerful the delivery phase can be when defenses fail.

Why the Delivery Phase Matters

The Delivery phase is often the last defensive checkpoint before an attack becomes active. Stopping the threat here prevents exploitation, installation, and data loss. Security teams must focus on detection, filtering, and awareness, combining technical controls with human vigilance.

Cybersecurity isn’t only about technology — it’s also about behavior. Even the best firewalls can’t protect a user who willingly opens a malicious file. Recognizing delivery tactics helps bridge that gap, turning employees into the first line of defense instead of the weakest link.

Final Thoughts

The Delivery phase of the Cyber Kill Chain represents a pivotal moment in any cyberattack. It’s where planning meets execution, and where defenders still have the chance to stop the threat before damage occurs.

By investing in layered defenses — from secure email gateways and DNS filtering to user awareness and continuous monitoring — organizations can drastically reduce the success rate of delivery-based attacks.

For cybersecurity professionals and ethical hackers alike, mastering the Delivery phase means understanding how threats travel, how users respond, and how to intercept them effectively. In today’s interconnected world, that knowledge can make the difference between prevention and breach.