Exploiting the human attack surface during red team engagements
Learn how red teams can use cognitive biases and decision fatigue to their advantage.
When people think about red team attacks, they often imagine complex tools, malware, or advanced hacking techniques. But one of the most powerful attack surfaces is the human brain. Red teams often leverage it by understanding how people think and behave, especially when they are tired or overwhelmed.
Cognitive biases are mental shortcuts our brains use to make decisions quickly. These shortcuts help us in daily life but can also lead us to make mistakes. For example, if someone you trust sends you a file, you’re more likely to open it without thinking.
Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.
Decision fatigue is what happens when someone has made too many decisions in a short amount of time. As people get mentally tired, they start making worse choices. Think of how hard it is to make smart decisions after a long day at work. Red team operators know this and use it to their advantage.
Let’s look at some ways red teams can leverage these human tendencies during an engagement:
Authority Bias - People tend to follow instructions from someone who seems to be in a position of power. A red teamer might send a fake email that looks like it’s from the company’s CEO or IT manager, asking someone to click a link or send sensitive information.
Time Pressure - When people feel rushed, they’re less likely to double-check things. A message with words like “urgent” or “your account will be disabled in 30 minutes” can trick someone into acting fast without thinking.
Tiredness - Employees are more likely to make mistakes late in the day, especially after meetings or after handling a lot of tasks. That’s why red teams often send their phishing emails around 4 or 5 PM.
Familiarity - People feel safe with things that seem familiar. Red team operators will often copy the look and language of real company emails, so their fake message feels normal. Deepfakes can make this psychological bias even more effective. When people see a video or hear a voice, they tend to trust it more than just reading text.
To understand how these biases are exploited on ground, consider the following example:
Let’s imagine a red team is testing a tech company. They find out that the accounting team handles invoice approvals, and most of their work is done by 5 PM. Around 4:47 PM, the red team sends a fake email pretending to be from the company’s CFO. The subject says, “URGENT – Payment Approval Needed Before End of Day.” The email includes a link to an “invoice” that is actually a malicious file.
The employee, tired from a long day and wanting to finish work, clicks the link and opens the file without checking. The red team now has access to the internal network.
This kind of attack is simple but powerful because it takes advantage of decision fatigue and trust in authority.
Red Team Notes
Cognitive biases and decision fatigue create real openings for red team operators. By learning how these mental shortcuts work, red teams can design smarter, more realistic pretexts.
Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.