A new report released today has revealed that threat actors are increasingly focusing on well-known business platforms like Dropbox, SharePoint, and QuickBooks in their phishing email campaigns. They are using legitimate domains to get past security measures, which makes it hard to detect the attacks and deceive users.
Darktrace’s Annual Threat Report for 2024 identified more than 30.4 million phishing emails, solidifying phishing as the most favored attack method.
Most Phishing Campaigns in 2024 Exploit Legitimate Enterprise Services
Cybercriminals have been taking advantage of third-party enterprise services such as Zoom Docs, HelloSign, Adobe, and Microsoft SharePoint. Rather than creating new domains, 96% of phishing emails in 2024 used existing domains to avoid detection.
Attackers have been seen using redirects through legitimate services like Google to distribute malicious payloads. For instance, in a Dropbox attack, the email included a link that led to a Dropbox-hosted PDF containing a malicious URL.
SEE:Â How business email compromise attacks emulate legitimate web services to lure clicks
Alternatively, threat actors have misused compromised email accounts, such as those from Amazon Simple Email Service, associated with business partners and trusted third parties. The report’s authors highlight that identity theft remains a significant issue affecting business and enterprise networks.
AI-Generated Tactics Drive Surge in Phishing Attacks
Darktrace discovered various elements in the phishing emails it analyzed:
- 2.7 million emails contained multistage malicious payloads.
- Over 940,000 emails included malicious QR codes.
The sophistication of phishing attempts continues to evolve, with spear phishing (highly-targeted email attacks) making up 38% of cases. Furthermore, 32% of attacks employ advanced social engineering tactics like AI-generated text with complex language structures. This complexity could manifest as longer sentences, increased punctuation, or more text in the emails.
Darktrace compiled insights from its extensive customer base for the Annual Threat Report 2024, using advanced AI, anomaly detection, and insights from its threat research team.
Growing Security Threat: Living-off-the-Land Techniques
Another method of attack involves breaching networks through vulnerabilities in edge or internet-facing devices and then utilizing living-off-the-land techniques or LOTL. This approach leverages legitimate enterprise tools already present to conduct malicious activities while avoiding detection.
Darktrace observed that 40% of campaign activity in early 2024 involved exploiting vulnerabilities in internet-facing devices, including those from Ivanti Connect Secure, Ivanti Policy Secure, Palo Alto Network, and Fortinet. Attackers prefer using LOTL techniques as they reduce the need for custom malware and lower the chance of triggering traditional security alerts.
In addition to exploiting vulnerabilities in these edge devices, threat actors are increasingly resorting to stolen credentials to access remote network solutions like VPNs and then utilizing LOTL techniques.
Stealth Attacks: Ransomware Groups Exploit Enterprise Tools
Ransomware groups like Akira, RansomHub, Black Basta, Fog, Qilin, and emerging players such as Lynx, have been increasingly using legitimate enterprise software. Darktrace observed these groups employing:
- AnyDesk and Atera to conceal command-and-control communications.
- Data exfiltration to cloud storage platforms.
- File-transfer technologies for rapid exploitation and double extortion.
SEE:Â Most Ransomware Attacks Occur When Security Staff Are Asleep, Study Finds
These groups are also frequently involved in Ransomware-as-a-Service or Malware-as-a-Service operations, with MaaS tool usage rising by 17% from the first half to the second half of 2024. The use of Remote Access Trojans, malware allowing remote control of compromised devices, also increased by 34% during the same period.
About Author
