Cybercriminals use legitimate websites to obfuscate malicious payloads

According to Egress, the evolving attack methodologies currently used by cybercriminals are designed to get through traditional perimeter security.

“The evolution of phishing emails continues to pose a major threat to organizations, emphasizing the need to enhance defenses to prevent attacks,” said Jack Chapman, VP of Threat Intelligence, Egress.

“Although traditional signature-based detection can filter out phishing emails with known malicious payloads (attachments and links), cybercriminals are constantly refining their attack methods to bypass existing detection systems and appear more credible to their victims. Our report reveals that attacks are increasingly leveraging social engineering, advanced technical measures, and compromised email addresses to deliver sophisticated payloads or defraud organizations. Every attack we analyzed had bypassed other forms of anti-phishing detection, including secure email gateways (SEGs),” Chapman continued.

Evolving attack methodologies

Cybersecurity experts are grappling with new strategies that surpass conventional domain-based inspection methods, with a growing focus on exploiting legitimate business tools like SharePoint and other trusted sources to deliver attacks.

Trends include:

Malicious payloads hidden by legitimate websites

Using legitimate hyperlinks for reputable brands as carriers for malicious payloads enables attacks to bypass standard link checks. Amongst the sites leveraged by hackers and detected by Egress Defend, YouTube, Amazon AWS, Google Docs, Firebase Storage, and DocuSign emerged as the top 10 most frequently used, with a 121% rise in this method observed between January 1 and April 30, 2023, compared to September to December 2022.

Phishing commoditized

Phishing remains part of the Anything-as-a-Service (XaaS) model, with crime-as-a-service gangs continuing to sell phishing kits. In a campaign analyzed by the Egress team, cybercriminal gang Caffeine leveraged the Ticketmaster brand to obfuscate a malicious payload. With bad actors no longer needing to be highly skilled or particularly motivated, the commoditization of phishing is increasing the development, deployment, and impact of these threats.

Increase in compromised accounts used to launch phishing attacks

Egress detected a 51% increase in phishing emails sent from compromised legitimate email accounts in the first four months of 2023. When analyzing these attacks, researchers found that 71% of the attachment-based payloads were HTML smuggling attacks. This allows the attacker to build malware behind an organization’s firewall and is a highly evasive attack technique that is increasing in prevalence as it enables phishing emails to bypass traditional email security controls, particularly SEGs.

Phishing the C-Suite

The C-suite has significant authority over access to funds, systems, and data, making them highly lucrative individuals to phish. Egress detected the top three targets as CFOs (31% of attempts), CEOs (25%), and CMOs (13%). Overall, those leading functions related to security, risk, and compliance were the least targeted, likely due to a lower success rate owing to their increased security awareness.

How to defend against phishing threats

Organizations must adapt their defenses as cybercriminals continue to evolve their attacks. The report calls for the prioritization of behavior-based email security that uses AI to mitigate the increase in threats evading signature-based and reputation-based perimeter security.

Integrated cloud email security (ICES) is a new category of anti-phishing technology that uses advanced detection capabilities, such as natural language processing and natural language understanding, to protect organizations from sophisticated attacks.

ICES solutions protect organizations from advanced email attacks by analyzing email content for signs of BEC. With phishing attempts being a constant business threat, these solutions integrate directly into the mailbox to engage users at the point of risk and augment security awareness and training programs.