Gallery

Contacts

405 W. Greenlawn Ave Lansing, Michigan 48910

contact@techjacksolutions.com

+1-616-320-4064

Twitter Facebook-f Pinterest-p Instagram
2.2 Domain 2 · Threats, Vulnerabilities & Mitigations

Threat Vectors and Attack Surface

Explain common threat vectors and attack surface — the delivery pathways attackers use before any payload runs.

Concept
2
Textbook
3
Reference
4
Real Scenario
5
Hard Choice
6
Common Traps
7
Exam Signal
The Concept

A threat vector is the pathway an attacker uses to reach the target. The attack surface is the sum of all exposed vectors. Vectors are not the same as the payload or the attack itself. An email is a vector; the malicious macro inside the attached document is the attack. The exam frequently asks you to pick the vector, not the outcome.

SY0-701 groups vectors into seven families: message-based (email, SMS, IM), image and file, voice (vishing), removable device, vulnerable software (client-based vs agentless), unsecure networks (wireless, wired, Bluetooth), and human / social engineering. Wrapping around all of them are supply chain exposures, open service ports, default credentials, and unsupported systems. Every question in this objective is ultimately asking: where did the adversary get in?

Message-based vectors. Email remains the #1 initial access channel — phishing, spear-phishing, whaling, malicious attachments, malicious links. Smishing uses SMS, typically impersonating banks or delivery services. IM phishing arrives via Slack, Teams, or Discord and often plays on in-the-moment trust inside a chat channel.

Image and file vectors. Steganography hides payloads inside images. Malicious SVGs can execute JavaScript. Quishing uses QR codes that redirect to attacker sites and bypass email-URL scanning. Office macros, PDF scripts, LNK files, and ISO/IMG containers remain common file-based delivery.

Voice vectors (vishing). Phone-based social engineering, caller-ID spoofing, deepfake voice, and voicemail lures. A help-desk caller claiming to be an executive is classic vishing.

Removable device vectors. USB drops in parking lots, BadUSB, Rubber Ducky HID injection, USB Killer destructive devices. Autorun malware on thumb drives still works on poorly configured hosts.

Vulnerable software vectors. Split two ways. Client-based software (browser, Office, PDF reader) has an installed agent with a vulnerability that can be patched or replaced. Agentless targets (web apps, APIs, SaaS) have no endpoint agent to patch — you fix the server, not the client.

Unsecure networks. Wireless weaknesses: WEP, open APs, evil twin, deauth, WPS flaws. Wired weaknesses: unauthorized LAN access, switch-port bypass, rogue devices. Bluetooth: bluejacking (nuisance messages), bluesnarfing (data theft), BlueBorne (RCE). Proximity matters.

Social engineering vectors. Phishing, vishing, smishing, pretexting (fabricated story), watering hole (compromise a site the victim already visits), impersonation (CEO, IT), BEC (wire fraud via executive email compromise), brand impersonation, typosquatting (lookalike domains), and misinformation/disinformation campaigns.

Attack-surface amplifiers. Open service ports (SMB, RDP, Telnet exposed externally), default credentials (factory passwords), unsupported systems (EOL software, legacy OS), and supply chain exposures (MSPs, vendors with privileged access, software updates, hardware implants).

FamilyChannelTypical example
MessageEmail / SMS / IMPhishing, smishing, Teams DM with link
Image / FileDocument / image / QRMacro doc, malicious SVG, quishing
VoicePhone / VoIPVishing, deepfake-voice exec impersonation
Removable deviceUSB / CD / external HDDUSB drop, Rubber Ducky, autorun
Vulnerable softwareClient or agentlessUnpatched browser, exposed API, SaaS flaw
Unsecure networkWi-Fi / wired / BluetoothEvil twin, rogue switch, bluesnarf
Human / socialTrust channelPretext, watering hole, BEC, typosquatting
AmplifierWhy it mattersFix
Open service portsExternally reachable entry pointClose/filter ports, restrict to known sources
Default credentialsTrivial initial accessForced change on provisioning, credential audit
Unsupported systems (EOL)No patches availableUpgrade, isolate, or compensating controls
Supply chainTrusted pathway to many victimsVendor assessment, SBOM, update verification
Key Takeaway

A vector is the pathway, not the payload. If the question describes how the attacker got in, you are looking for a vector (email, USB, open port). If it describes what happened after, you are looking for an attack type or vulnerability class.

Regional sales office, 60 employees. Three users in two days report that their Microsoft 365 sessions were “hijacked”: sent emails they did not write, mailbox rules they did not create. No phishing emails in their inboxes. Help-desk thinks credentials were reused across sites. You spot a different pattern: all three users had recently scanned the QR code on the shared office printer — supposedly for “scan to self” setup.

Scenario
The Printer QR Code
Regional office · 3 compromised M365 accounts · no phish in inbox
Help-Desk Lead“The users say they used the same passwords on other sites. Classic credential reuse. Force resets, enable MFA, move on.”
Security Analyst“Three resets in 48 hours in the same office is a pattern, not a coincidence. Nothing in their inboxes, but all three scanned the same QR on the printer. That code points to a lookalike domain with a fake Microsoft login page. This is quishing — a QR-code phish with a physical pivot.”
Help-Desk Lead“How did that get on the printer?”
Security Analyst“Someone physically stuck a sticker over the real QR. The threat vector here is image-based (QR code), wrapped in a physical / tampering element. The payload is credential phishing. Pull the sticker, preserve it for IR, walk the floor for other tampered surfaces, and get the printer access locked down.”
Compensating Action

Short-term containment: disable OAuth mailbox-forwarding rules, force reauthentication with MFA for all office users, and issue a one-page advisory about QR codes on shared equipment. Long-term: physical walk-throughs and tamper-evident labels on shared devices. URL filtering alone will not catch quishing — the URL is never visible until the user decodes the code.

Real Talk — Career Context

Vectors are multi-disciplinary. A QR-code attack is part phishing, part physical intrusion, part image-based vector. Real incidents rarely fit one neat box, and that is exactly what the exam tests: does the candidate know which channel delivered the compromise?

On the exam: if a question describes “a QR code leading to a fake login page,” the vector answer is image/QR (quishing), not “phishing email.” If the question asks for the attack type, pick credential phishing.

A small engineering firm has repeatedly seen its staff compromised by visiting a trade-association news site that was silently planted with malicious JavaScript. Budget allows exactly one control investment this quarter. Which is the better fit?

Option A
Upgrade the email security gateway

Invest in a next-gen email filter with sandboxing, URL rewriting, and attachment detonation.

Option B
DNS/URL filtering with browser isolation

Protect outbound web browsing via DNS threat intelligence and isolate risky categories in a remote browser.

Option B is the better fit — the vector is the web, not email

Option B: The described attack is a classic watering hole — the victims’ trusted industry site was weaponized. No phishing email was involved, so a better email gateway does not address the vector. DNS/URL filtering and browser isolation neutralize the drive-by path.

Option A’s kernel of truth: Better email security is almost never wasted. But when your confirmed loss vector is a trusted third-party website, spending the one dollar you have on email is spending it in the wrong channel.

On the exam: match the control to the vector, not to “security in general.” If the described path is web/drive-by, email filtering is a distractor.

Vector confused with attack
The vector is the pathway (email, USB, open RDP port). The attack is what runs after (ransomware, credential theft, command injection). If the question asks “which vector was used?” your answer is the delivery channel, not the payload.
Why it is tempting: the payload is usually more memorable than the envelope.
Vishing vs. smishing vs. phishing
Vishing uses voice, smishing uses SMS, phishing uses email. If the scenario is a phone call, vishing is the answer even if the content is “phishing-like.” Deepfake-voice CEO scams are still vishing.
Why it is tempting: all three share the “phishing” family root.
BEC treated as plain phishing
Business Email Compromise is a specific fraud pattern: executive impersonation for wire transfer or invoice fraud. It may use phishing as the vector, but when the question describes a wire-transfer fraud via a spoofed CFO email, BEC is the answer.
Why it is tempting: BEC is delivered by email so “phishing” looks right.
Watering hole called phishing
In a watering hole, the attacker does not send a lure — they wait at a location the victim already visits. If the scenario says the user visited a legitimate industry site that had been compromised, the vector is watering hole, not phishing.
Why it is tempting: the outcome (browser exploited, creds stolen) looks similar.
Default credentials as a “misconfiguration”
On 2.2, treat default credentials as a vector/entry point. On 2.3 (vulnerabilities), the same fact pattern may be called a misconfiguration. Read the objective the question is targeting — the same fact can be answered two ways.
Why it is tempting: both framings are correct in the abstract.
Exam Signal

Vector questions ask “how did they get in?” Map the described channel to one of the seven families (message, image/file, voice, removable, vulnerable software, unsecure network, human). When the channel is ambiguous, choose the one that most specifically matches the described medium.

Quick Check — 2.2 Q1
A finance clerk receives a phone call from a caller who sounds exactly like the CFO, urgently requesting that a pre-authorized wire be released today. Which vector was used?
  • A Phishing
  • B Vishing
  • C Smishing
  • D Quishing

Correct: B. A voice-based impersonation call — especially with deepfake or cloned voice — is vishing, even though the underlying fraud is BEC-adjacent.

A wrong: Phishing is email-borne.

C wrong: Smishing is SMS-based.

D wrong: Quishing uses QR codes.

Source: CompTIA SY0-701 Objectives v5.0 — 2.2 Threat Vectors and Attack Surface

Quick Check — 2.2 Q2
An organization finds that employees are visiting an industry news portal whose advertising framework has been silently weaponized with browser-exploit JavaScript. What vector BEST describes this?
  • A Typosquatting
  • B Watering hole
  • C Brand impersonation
  • D Pretexting

Correct: B. Compromising a site the target population already visits, then waiting for victims to arrive, is the textbook watering-hole pattern.

A wrong: Typosquatting uses lookalike domains; the site here is the real one.

C wrong: Brand impersonation involves spoofing a brand, not compromising it.

D wrong: Pretexting is a social-engineering story used in direct contact; no story is told here.

Source: CompTIA SY0-701 Objectives v5.0 — 2.2 Threat Vectors and Attack Surface

Quick Check — 2.2 Q3
Facilities staff find unlabeled USB drives left near employee entrances over multiple days. Which BEST describes the vector risk?
  • A Agentless software vulnerability
  • B Unsecure wireless
  • C Removable device vector
  • D Supply-chain attack

Correct: C. USB drops are a canonical removable-device vector, relying on an employee inserting the device into a trusted host.

A wrong: Agentless refers to web apps/APIs, not USBs.

B wrong: No wireless channel is in play.

D wrong: Supply chain involves trusted vendors or updates, not anonymous drops.

Source: CompTIA SY0-701 Objectives v5.0 — 2.2 Threat Vectors and Attack Surface

Related Topics
→ 2.1 Threat Actors→ 2.4 Indicators of Malicious Activity→ 2.5 Mitigation Techniques
← Previous: 2.1 Threat Actors ← Domain 2 Hub Next: 2.3 Vulnerabilities →
Disclaimer: This content is provided for educational and exam preparation purposes only. It is not official CompTIA content, is not endorsed by CompTIA, and does not guarantee exam success. All practice questions are original and based on the published CompTIA SY0-701 Exam Objectives (v5.0). Always refer to the official CompTIA Security+ Exam Objectives as your primary reference.