Phishing has been the method most often employed by cybercriminals to achieve initial access to targeted organizations in 2024, according to risk advisory firm Kroll, which expects this trend to continue in 2025.
But attackers have also increasingly been using valid accounts (i.e., credentials stolen via infostealers) and social engineering to get a foothold into targets’ systems and networks.
“Social engineering tactics observed in 2024 included CEO-spoofing that takes advantage of artificial intelligence (AI) to create realistic voice clones. In addition, threat actors targeted help-desk personnel for password resets and used telephone-oriented attack delivery to prime phishing victims into accepting their lures,” they shared.
Most popular initial access methods in 2024 (Source: Kroll)
New and improved phishing techniques and approaches
EncryptHub, a financially motivated threat actor that has ties with the RansomHub and BlackSuit ransomware-as-a-service outfits, is a prime example of the trend.
According to cyber threat intelligence firm Prodaft, the group has mastered spear-phishing attacks: they are calling employees and impersonating the organization’s IT or help desk staff then direct them to phishing sites pretending to be related to the company VPN, and targeting them via Microsoft Teams with malicious links that will help the attackers steal their M365 login credentials.
“The research revealed that, from June 2024 to the present, the threat actor has compromised 618 different victim organizations. In most of these cases, the attacks resulted in the deployment of ransomware payloads and the compromised systems were successfully encrypted,” Prodaft analysts say.
The proliferation of phishing activities is partly due to the availability of phishing-as-a-service-platforms, Kroll’s researchers noted.
“In Q4 alone, Kroll observed multiple PhaaS platforms targeting users. New toolkits such as Mamba 2FA and Rockstar 2FA targeted Microsoft 365 accounts to capture credentials and authentication tokens for adversary-in-the-middle attacks. Kroll has also observed more threat actors advertising AI chatbots for sale on underground forums, claiming that they can be used to deliver phishing campaigns.”
Among the most interesting phishing campaigns spotted in 2024 is the so-called CorruptQR campaign, for which the attackers are leveraging Office documents with corrupt header information to bypass email security solutions and rely on users to start the recovery process. (“Kroll research associated this activity with the ONNX phishing-as-a-service (PhaaS) platform.”)
How to fend off phishing and social engineering attacks
Defending your organizations against phishing attacks is an endeavor that requires a multi-pronged approach.
Employees should be regularly educated on the latest social engineering techniques, trained to recognize phishing attempts, and must be provided an easy way to report potential threats, Kroll’s threat analysts advised.
Organizations should also:
- Use email security tools that can detect and block open redirect links in emails and QR code phishing
- Implement phishing-resistant authentication methods
- Reduce their attack surface by using creative conditional access control policies (e.g., limit the number of allowed MFA devices per user, or require extra authentication factors when authorizing MFA devices)
- Update IT help-desk policies and exception-handling procedures to prevent social engineering attacks aimed at enrolling or disabling MFA and unauthorized devices.