It’s been a year since states first enacted shelter in place orders, most employees began working outside their office networks at home. In 2020, phishing attacks grew 42%, according to new data in SlashNext’s State of Phishing 2021 report. The average cost of a corporate breach was $2.8 million, making phishing an urgent issue.
What was once spray and pray bulk phishing attacks, easily recognized for their lousy grammar and poor-quality logos, is now replaced by mass quantities of high quality, highly targeted spear-phishing attacks simulating messages from trusted sources. Bad actors became far more sophisticated at using automation, AI, and behavioral targeting to launch spear-phishing attacks aimed at harvesting our personal and corporate information from the same devices.
Phishing attacks moved faster than defenses, automated across people’s digital footprints. Short-lived phishing URLs gather valuable personal information and move on within 40-45 minutes to evade detection. Attacks generating 20,000+ subpages in 36 hours were too fast for human forensics to stop.
One of the most dangerous aspects of all this is that phishing attempts often come from legitimate infrastructures such as Google, Adobe, and Microsoft domain names. Cybercriminals used a variety of strategies to evade traditional phishing defenses, including compromised pages on legitimate infrastructure such as Google, Adobe, or Microsoft domain name, which made them difficult to detect.
Targeting Microsoft Users
Even before the sudden shift to a distributed work environment, Microsoft 365 was a popular phishing target. Instead of being limited to email, bad actors launched attacks on OneDrive, Teams, and other Microsoft communication channels.
These malicious users can be very targeted using specific information relevant to each channel. So, not only have we detected a dramatic increase in attacks targeting Microsoft users, but the success of these attacks has been unprecedented.
Companies rely on first-generation tools to defend against phishing attacks, whether securing their email gateway, proxies, firewalls, or other endpoints. Even some of the newer security solutions have been tuned to stop traditional phishing attempts. Today, it has become critical to detect a phishing attack at the time of its creation. According to a recent Tolly Group report, 2 out of 3 phishing attacks evade current Microsoft 365 defenses that most companies rely on.
Threat actors are constantly identifying unique ways to bypass Microsoft 365’s automated defenses and the security training many organizations provide to employees.
For example, attackers can use a business’ publicly available APIs to dynamically fetch the look and feel of an organization’s customized Microsoft 365 login page. When a user clicks on the phishing link, the first request goes to the authentic Microsoft landing page, where attackers pull the screenshot and logos and replicate on a compromised page. This tactic fools Microsoft’s automated defenses by providing a 100% accurate comparison between the real and compromised pages. At the same time, the attack establishes a sense of trust with users who are familiar with the company’s login page.
Secondly, PDF documents embedded with phishing links can be uploaded to popular cloud platforms like Google Drive, Dropbox, or Adobe Spark. Only after the user reads the document and clicks on the link will the phishing page open. Because this happens at the domain level, and it’s challenging to extract phishing text out of a PDF document, this tactic can fool both automated systems and users.
A third tactic exploits online forms like Google Forms or Survey Monkey. This tactic is effective in part because people aren’t even aware that these forms can mask phishing attacks. For instance, the attacker can set up a form to look like a standard IT support page requesting users to change their passwords due to a potential security breach. Users are then asked for their original password and new password. All of this provides the attacker with a wealth of information that can be used to compromise the system.
Organizations virtually spend all their money protecting their email environment from phishing attacks. And yet, SlashNext research shows that out of the thousands of phishing links sent daily, only 60% target email. The rest focus on the likes of social media, search engines, mobile devices, and so on.
Take the Google search engine, for instance. During tax season, attackers use SEO to move phishing links up the ranking. People looking up tax information click on search results that takes them to a phishing page that gathers their data. The same applies to COVID relief fund or vaccination information searches. The search options are limitless.
Phishing over SMS is another well-developed strategy. Apple iOS and Google Android devices do not have built-in protection against these types of attacks. An SMS either contains a phishing link or a request to transfer money to pay tax penalties, for example. WhatsApp is also seeing a growing number of attacks, where chats are initiated from Web page links, luring people to call the originator who proceeds to talk them into a money transfer scam.
Fighting AI with AI
Advanced protection and detection are required to fight these advanced threats. Every URL SlashNext inspects goes through a watchdog browser in the cloud where the page is fully rendered, and forensic information is extracted. In turn, this is fed into a patented artificial intelligence engine that uses computer vision, optical character recognition, and natural language programming to detect phishing the same way a person would do.
Once completed, this is fed into a machine learning engine designed to drive a definitive verdict – either a page is a phishing attempt or it’s not. Traditional defensive scoring models have little relevance in this regard. Phishing must be a binary system.
Ultimately, ensuring proper protection from phishing attacks comes down to incorporating multi-vector defenses to hunt phishing attacks across all communications mediums, whether email, Web pages, SMS messages, online advertisements, etc.
To hear more from Patrick and Atif watch the complete Phish Stories Webinar HERE.