Phishing links becoming bigger threat than email attachments


It has long been held that a surefire way for anybody to protect themselves – and their employer – from falling victim to a cyber attack was not to download any unexpected email attachment, but according to email security specialist Mimecast, cyber criminals seem to be moving away from this evergreen tactic.

In the first six months of the year, Mimecast said it observed a massive surge in email attacks delivering not malware-laced attachments, but rather links to legitimate cloud-based file sharing services, such as Google Drive or SharePoint. It said volumes of email-delivered malicious links were up over 130% in the first calendar quarter of 2024, and 53% in the second quarter, compared to the same periods in 2023.

In its newly-published Global Threat Intelligence Report 2024 H1, Mimecast said threat actors were likely using more layers of links and forcing their victims to jump through various hoops, such as responding to CAPTCHAs or engaging with false multifactor authentication (MFA) challenges to better obfuscate their activities and thwart detection, or investigation.

Mimecast said that its latest data demonstrated how critical attention to email security can be for an organisation. Mick Paisley, the organisation’s chief security and resilience officer, explained: “Email and collaboration tools are often seen merely as cost centres, but this overlooks their essential role in cyber security.

“By optimising email security, organisations can achieve significant cost efficiencies while ensuring robust protection against emerging threats. This approach is crucial not only for minimising cyber risks but also for maintaining the productivity and safety of your organisation.”

The report’s authors urged organisations to

The human in the loop has always been a factor in identifying risks to an organization as they provide more direct access to relevant information or to a network. Targeting employees remains a  highly successful attack vector and unlikely to change as a highly adaptable tactic.  

Malicious campaigns

In one of the campaigns observed in Mimecast’s telemetry – which took place in March and April of 2024 – a threat actor opportunistically targeted recipients with emails containing a link to a LinkedIn domain that directed them to static, but malicious content. Almost 120,000 such emails were caught in its systems, with all of them notifying the victim that they needed to review an audio message.

In this instance, clicking the link resulted in a chain of redirects leading to a Cloudflare CAPTCHA and thence a fake Microsoft Outlook sign-in page.

The attacker also used an Amazon Simple Email Service (SES) account to give their lures a better chance of passing email security mechanisms.

In a second example, the threat actor originated their attacks via compromised Office 365 accounts belonging to companies in the same industry as their targets, increasing the likelihood that the victim might think them legitimate. The goal in this instance was credential harvesting.

In a third distinct campaign, a phishing link embedded in an email directed victims to address a device security compliance issue, again with the goal of stealing valuable information.

It said volumes of email-delivered malicious links were up over 130% in the first calendar quarter of 2024, and 53% in the second quarter, compared to the same periods in 2023.

AI-backed scams

Mimecast’s data also contains new insight into how threat actors are becoming increasingly adept at incorporating artificial intelligence into their phishing scams.

In one campaign, it observed 380,000 emails laced with an attached PDF that when opened, displayed a page hosted on the Replit AI development service – likely created as part of a free trial – to gather credentials. The lures in this campaign generally centred HR-related themes, such as completing annual appraisals or holiday requests.

In another, victims were notified of an imminent deduction or charge – many of the lures impersonated PayPal – and directed to contact an AI-enabled call centre where large-language model (LLM) automation was successfully able to trick them into handing over credentials or financial information.

“The abuse of generative AI and machine learning will improve the targeting and content of phishing campaigns,” wrote the report’s authors, “driving the defender’s requirement for technical indicators to be able to detect and  respond to new and novel attacks.”



Source link