The 2024 Egress Phishing Threat Trends Report has found that phishing continues to be one of the most common and effective ways for cybercriminals to gain access to data and systems, writes AJ Thompson, pictured, CCO, at the IT firm Northdoor plc.
Cybercriminals are selling toolkits on the dark web that contain AI-powered attacks that can breach Microsoft and Secure Gateway Provider (SEG) defences, with large-scale commodity phishing attacks is overwhelming security teams.
Impersonation has also been found to be the most prolific phishing tactic used in 2024, with cybercriminals targeting employees, who they perceive to be the weakest link in an organisation.
Cybercriminals are highly motivated. Essentially, they need to be good at their jobs or they won’t get paid. Therefore, they make it their business to create highly successful social engineering attacks that deploy multiple steps to create advanced persistent threat campaigns, that impersonate brands and individuals.
The statistics
Between April 1 to June 30, there was a 28% per cent increase in phishing emails in comparison to January 1, 2024 to March 31. Some 44pc of phishing emails came from compromised accounts, which helped cybercriminals to bypass authentication protocols, with eight per cent of these emails being sent from within an organisation’s supply chain. Cybercriminals used legitimate platforms such as Microsoft, Mailchimp and Salesforce to send these emails, making them seem all the more genuine.
The report found that a staggering 45pc of phishing emails contained hyperlink payloads, with 23pc of phishing emails containing malicious attachments. The most impersonated brands included: Adobe, Microsoft, Chase and Meta. By using well-known brands employees are more likely to think phishing emails are authentic. Due to this only 29pc of employees accurately reported phishing emails.
Phishing toolkits as a business model
Highly motivated cybercriminals can not only create cyberattacks for themselves, but they have also commoditised criminal activity by creating toolkits that can be sold on the dark web. Less-skilled threat actors can then use these to launch more sophisticated attacks than their abilities would normally allow. Worryingly, many cybercriminals have turned phishing into an inarguably successful business model, with many offering a subscription-based service, charging anything between $30 per month to $600 per month.
Phishing toolkits can offer a wide range of techniques, including: templated attacks, such as credential harvesting, phishing emails impersonating large brands, guarantees of deliverability against Microsoft’s native defences and major secure email gateway (SEG) providers, obfuscation techniques, polymorphic payloads, subscriptions to Generative AI (GenAI) applications to produce attacks and OSINT toolkits and containing collated data on specific targets.
Commodity attacks – more targeted and more dangerous
Commodity attacks, which are mainly image-based, may seem unsophisticated but in actual fact they are malicious, mass-produced campaigns that mimic spam by impersonating brands on prolific scale. Their effectiveness stems from their sheer volume and the ability to be polymorphic, with security teams being overwhelmed by the number of attacks.
The Egress report has found that an organisation of 2,000 employees will receive an average of 7,382 phishing emails over 31 days. This equates to 238 phishing emails per day and 31.75 attacks per hour during a seven-hour workday. These shocking statistics make it clear to see why security teams are becoming overwhelmed.
Cybercriminals often use the sheer volume of commodity attacks as white noise to disguise more sophisticated threats. With security teams buckling under the pressure, dangerous attacks are less likely to be spotted among the myriad of less advanced threats and are likely to become more prevalent the future.
Advanced persistent threats
Cybercriminals often favour playing the long game. Advanced persistent threats (APTs) are sophisticated, targeted and sustained campaigns that are outcome driven. Cybercriminals target specific organisations to either exfiltrate data, extort money or to commit espionage. Large organisations are usually targeted, but smaller organisations in their supply chain can also fall victim to these attacks, enabling cybercriminals to access data stored locally or launch attacks using a trusted domain.
APTs have significant financial backing behind them, whether it is state sponsored or financed by large cyber gangs. This means that there are enough resources to carry out lengthy, sustained, multi-step attacks. Of the 84 APTs studied in the Egress report, more than half (52.2pc) were classed as zero-day attacks, while one-third (35.4%) contained previously identified payloads.
The impersonation game
Impersonation has been found to be the most prolific phishing campaign in 2024 so far. 26% of phishing emails appeared to be sent from brands that are not connected to the recipient via an established business relationship. 9.7% of these came from emails impersonating phone or video conferencing providers (such as Zoom), 5.3% impersonating mail carriers (such as UPS or DPD) as part of established ‘missed voicemail’ and ‘missed delivery’ campaigns.
The second most popular attack are ones impersonating an employee’s organisation, with 16.0% falling into this category. HR was the most impersonated department in these types of attacks, with cybercriminals taking advantage of employees being quick to click on fake benefit packages.
IT and Finance departments are also regularly impersonated and internal systems such as e-signatures, employee survey forms and the Microsoft logo appeared in more impersonation attacks than any other. The most popular payloads used in impersonation attacks were, hyperlinks (36.4 per cent), malware attachment (28.9pc), fraudulent invoices (16.6pc), social engineering (14.9pc) and QR codes (3.3pc%).
Unmasking the impersonators
Impersonation attacks are becoming increasingly sophisticated and can breach signature-based and reputation-based detection. The key to unmasking impersonation attacks lies in natural language processing (NLP) to detect linguistic identifiers of social engineering (such as urgent language), natural language understanding (NLU) to identify the context behind the words used, the ability to neutralise any obfuscation techniques implemented to prevent NLP and NLU working correctly, sender display name and email address analysis, sender domain analysis, analysis of the organisation’s own accepted domains, internal systems, and finally brand behavioural analytics for employee email usage.
Embracing AI
To get ahead of these AI-powered attacks, organisations need to ensure they implement the appropriate level of AI in their defences. With cybercriminals embracing AI, organisations must build a strong foundation of AI-driven defences that can automate detection and response to a broader spectrum of advanced threats.
Organisations need to turn to highly qualified, third-party IT consultants who can supplement internal teams. Third-party IT consultants can provide a 360-degree, 24/7 overview of an organisation, giving a comprehensive view of where vulnerabilities lie. This allows organisations to have urgent conversations with partners and suppliers to close the vulnerabilities before they are exploited by cybercriminals.
Phishing attacks are extremely lucrative and therefore are not going to go away any time soon. Getting ahead of any future attacks using AI, automation and threat intelligence will be crucial for organisations. Effective prevention, detection and response technologies implemented by third-party IT consultants, will enable organisations to proactively defend against an attack.
