Egress has released its latest Phishing Threat Trends Report (registration required). It shows that phishing attacks were up 28% in the second quarter of 2024 compared to the first quarter. Egress also noted the majority of phishing toolkits, which are sold on the dark web, now mention deepfakes (82%) and AI (74.8%). To increase the chance of success, malicious actors are now sending 44% of phishing emails from compromised accounts.
Jack Chapman, SVP of Threat Intelligence at Egress, said, “The fourth edition of the Egress Phishing Threat Trends report offers eye-opening insights into the shifting landscape of phishing threats in 2024, revealing alarming trends based on data from Egress Defend and exclusive intelligence from the Egress Threat Intelligence team.
“One of the most troubling findings is the rapid commoditisation of AI in phishing toolkits, which is putting advanced threats into the hands of less sophisticated cybercriminals. Organisations must respond by adopting advanced AI defenses that effectively counter these evolving threats; while ensuring they aren’t introducing new vulnerabilities by using AI for AI’s sake.”
Chapman also talked with Enterprise Times to provide a deeper insight into some of the findings.
Defenders need a better understanding of the threat
Email is still the biggest threat vector that organisations deal with. Users continue to be frustrated that they are expected to spot and deal with phishing and malware in emails. Many feel that IT should be doing more to spot and prevent things from getting through.
Chapman says it is more complicated than that. Security teams need a more comprehensive understanding of how attackers operate to effectively deal with threats. Without that understanding, especially of new techniques as they evolve, attackers will bypass traditional security measures.
QR code attacks are on the rise
One example of this is how QR codes are used in attacks, with Egress now seeing QR Codes used in 14% of attacks. To prevent detection, Chapman said attackers are using techniques like HTML tables. This allows them to create QR codes that appear as images but are, in fact, anything but.
The approach allows them to bypass security solutions designed to detect and block image-based QR codes. With QR codes here to stay, security needs a better way to mitigate the threat.
Unique attacks are expected to make up 60% of all attacks
Another major shift is the use of one-off attacks, which Chapman says is on the rise. Egress expects the number of new and unique attacks to hit 60% next year. Attackers are doing this to defeat reactive security that spots known attack patterns. It means that solutions relying on hashing and known malicious content are bypassed.
One way attackers make content unique is by making minor changes to it. Dates, greetings, and even small changes to the text mean that reactive security solutions constantly have to learn. That takes a lot of compute cycles and slows down the response.
Chapman says this is part of a broader trend that he calls the “reconnaissance and OSINT era.” Attackers are increasingly focused on compiling detailed profiles of their targets. The more data they have, the more they can customize and personalize their attacks. This reconnaissance-heavy approach allows them to launch new, unique attacks that are more likely to succeed.
Defenders need to shift to proactive security measures. This means new tools and greater user education to reduce the risk of a successful attack.
Compromised accounts lead to supply chain attacks
One of the key messages from this report is the increased use of compromised accounts by attackers. Chapman points out how effective that is from the attacker’s perspective. It provides them with a ready-built target list that is more likely to open and respond to emails.
Another risk from compromised accounts is that they allow an attacker to see the tools and vendors that an organisation uses. Attackers take that information and use it to craft impersonation attacks, knowing that users often won’t question the source.
The jump from there to supply chain attacks is also small. Rather than directly attacking a company, attackers are now looking to compromise trusted assets like vendors or suppliers. This allows them to use a compromised account to move from one company to another. It might take longer to reach the preferred target, but the intelligence gathering along the way pays off.
Attackers are using misdirection to fool defenders
Attackers often use mass campaigns to mask their intent. In the report, Egress describes a targeted attack on 17 employees of a customer. Chapman says that the attack was masked by a wide-scale attack on an organisation.
One technique that defenders need to watch for is what appears to be poorly crafted emails used in an attack. These emails are often designed to distract users and IT security teams that think they are successfully defending an attack. Instead, while dealing with those emails, the attackers surgically attack their intended target in the organisation.
The rise of AI as a threat
The use of AI as a threat vector has evolved considerably over the last year. A year ago, security companies talked about how AI made it easier to craft better phishing emails. They also focused on how it could generate linked phishing campaigns.
When asked about this, Chapman said that there was a new focus. AI and LLMs are still used in phishing to generate new attacks. However, Egress is seeing a more significant impact on reconnaissance and information gathering. It links back to his earlier comment about the reconnaissance and OSINT era.
The ability of AI to ingest very large amounts of data allows attackers to personalise attacks, which, says Chapman, makes them very effective. AI also brings a lot of the data that has been harvested over many years into play. The automation that comes with AI means that attackers can draw on personal information from years back that persuades victims that the attacker does know them.
Another set of AI-driven attacks is deep fakes, which are being used in multi-channel attacks. Chapman highlighted how attackers use deep fake technology to create convincing voice, image, and video content.
Such attacks are often targeted at people without a regular personal connection to the deep fake. They are convincing enough to often persuade them to make financial transfers and are an evolution of Business Email Compromise attacks.
Chapman also warned that these attacks are particularly challenging to detect and mitigate. They are effective as they exploit the human element of security and the inherent trust that people place in familiar communication channels.
Enterprise Times: What does this mean?
Often with reports like this, it’s about looking at the statistics, comparing them to previous reports and remarking on how attackers are outmanoeuvring defenders. There is a degree of that here when you read the report. However, the discussion with Chapman puts a different perspective. Defenders need to spend more time thinking like an attacker to understand the entire kill chain of an attack.
It is not a new approach, and one would hope that defenders are constantly learning about how attacks are evolving. The reality, however, is that many organisations are so overwhelmed that they rely on just the tools they have purchased.
This report, and Chapman’s comments serve as a harsh warning that that approach is not good enough. Instead, defenders need to be more actively engaged in how attacks are changing. The biggest concern here is the expectation that by next year 60% of attacks will be unique. It means that the tools we have today will be relegated to dealing with more traditional attack vectors while vendors will need to develop new tools.