This week’s report that cyberattackers are laser-focused on crafting attacks specialized to bypass Microsoft’s default security showcases an alarming evolution in phishing tactics, security experts said this week.
Threat actors are getting better at slipping phishing attacks through the weak spots in platform email defenses, using a variety of techniques, such as zero-point font obfuscation, hiding behind cloud-messaging services, and delaying payload activation, for instance. They’re also doing more targeting and research on victims.
As a result, nearly 1 in 5 phishing emails (18.8%) bypassed Microsoft’s platform defenses and landed in workers’ inboxes in 2022, a rate that increased 74% compared to 2020, according to research published on Oct. 6 by cybersecurity firm Check Point Software. Attackers increasingly used techniques to pass security checks, such as Sender Policy Framework (SPF), and obfuscate functional components of an e-mail, such as using zero-size fonts or hiding malicious URLs from analysis.
The increasing capabilities of attackers is due to the better understanding of current defenses, says Gil Friedrich, vice president of email security at Avanan, an email security firm acquired by Check Point in August 2021.
“It is a family of 10 to 20 techniques, but they all lead to the objective of deceiving a company’s security layers,” he says. “The end result is always an email that looks genuine to the recipient but looks different to the algorithm that analyzes the content.”
Microsoft declined to comment on the research. However, the company has warned of advanced techniques, such as adversary-in-the-middle phishing (AiTM), which uses a custom URL to place a proxy server between a victim and their desired site, allowing the attacker to capture sensitive data, such as usernames and passwords. In July, the company warned that more than 10,000 organizations had been targeted during one AiTM campaign.
Check Point is not the only vendor to warn that phishing attacks are getting better. In a survey, email security firm Proofpoint found that 83% of organizations experienced a successful email-based phishing attack, nearly half again as many as suffered such an attack in 2020. Cybersecurity firm Trend Micro saw the number of phishing attacks more than double, growing 137% in the first half of 2022 compared to the same period in 2021, according to the firm’s 2022 Mid-year Cybersecurity report.
Meanwhile, cybercriminals services, such as phishing-as-a-service and malware-as-a-service, are encapsulating the most successful techniques into easy-to-use offerings. In a survey of penetration testers and red teams, nearly half (49%) considered phishing and social engineering to be the attack techniques with the best return on investment.
Research & Recon Inform Phishing
Attackers are improving too because of the effort that cyberattackers make in collecting intel for targeting victims with social engineering. For one, they’re utilizing the vast amounts of information that can be harvested online, says Jon Clay, vice president of threat intelligence for cybersecurity firm Trend Micro.
“The actors investigate their victims using open source intelligence to obtain lots of information about their victim [and] craft very realistic phishing emails to get them to click a URL, open an attachment, or simply do what the email tells them to do, like in the case of business e-mail compromise (BEC) attacks,” he says.
The data suggests that attackers are also getting better at analyzing defensive technologies and determining their limitations. To get around systems that detect malicious URLs, for example, cybercriminals are increasingly using dynamic websites that may appear legitimate when an email is sent at 2 a.m., for example, but will present a different site at 8 a.m., when the worker opens the message.
Improvements in Defense
Such techniques not only deceive, but take advantage of asymmetries in defending versus attacking. Scanning every URL sent in an email is not a scalable defense, says Check Point’s Friedrich. Running URLs in a full sandbox, analyzing the links to a specific depth, and using image processing to determine sites that are trying to mimic a brand requires a lot of computational power.
Instead, email security firms are deploying “click-time” analysis to tackle the problem.
“There are some algorithms or tests that you can’t run on every URL, because the compute is huge, it eventually become price prohibited,” he says. “Doing that at click time, we only need to do the tests on the URLs that users actually click on, which is a fraction, so 1% of the total links in e-mail.”
In addition, defenses increasing rely on machine learning and artificial intelligence to classify malicious URLs and files in ways that rules-based systems cannot, says Trend Micro’s Clay.
“Dealing with weaponized attachments can be difficult for those security controls that still rely on signatures only and don’t have advanced technologies that can scan the file using ML or a sandbox, both of which could detect many of these malware files,” he says.
In addition, previous statements from Microsoft have noted that Office 365 includes many of the email protection capabilities discussed by other vendors, including protection from impersonation, visibility into attack campaigns, and using advanced heuristics and machine learning to recognize phishing attacks affecting an entire organization or industry.