Separate to avoid outside damage
As Skoudis explains here, a spear-phishing pen test be separated into two phases to avoid possibly attacking an unintended target outside of the organization:
"The first part is sending the e-mail itself, trying to get a click on a link or the opening of an attachment. We recommend that penetration testers compose their e-mail with links and/or attachments, BUT DO NOT TRY TO EXPLOIT THE TARGET via that e-mail. Instead, the pen tester sets up a web site, so he or she can merely count the number of clicked links or open attachments that he or she gets from the e-mail, as well as the source machine of the clicks.
Then, as a separate phase of the project, the pen tester works with a collaborator on the inside, using a typically configured laptop or desktop computer, to try the exploitation itself, perhaps gaining access and then pivoting through the target infrastructure. So, the tester would agree with an inside collaborator that on a given date and time, the pen tester will provide a series of URLs and/or attachments for the collaborator to explicitly click on and open. There is no trickery involved in this phase. But, we can then infer from what we are able to exploit on that typical client machine the impact we would have likely gotten from any of the clicks in phase one.
You see, we've separated the phishing e-mail (where all that really matters is whether you get a click or not) from the exploitation step. This is a whole lot safer. You see, if you bundle the two together, and exploit a machine that received the e-mail, you may end up attacking someone outside of scope. An email recipient may forward your e-mail to someone inside the company (or even outside the company). If you attack that person, you've exceeded your scope and can get in big trouble. That's why we separate the two aspects."
Sign up for Computerworld eNewsletters.