Email phishing attacks rose by 28% in Q2 2024 compared to Q1, with attackers deploying effective ways to overcome defenses, according to a new Egress report.
One prevalent tactic used by attackers was sending phishing emails from familiar accounts to bypass authentication protocols.
In the period from April to June 2024, 44% of attacks were sent from internally compromised accounts, with 8% originating from an account within the organization’s supply chain.
Speaking at a briefing, Jack Chapman, SVP of Threat Intelligence at Egress, explained that the tactic which saw attackers setting up their own domains to send emails has nearly disappeared.
Another growing method of bypassing security tools is the use of QR codes as the payload, making up 12% of phishing emails.
The most prevalent payloads across all phishing emails analyzed in Q2 were hyperlinks, found in 45% of cases, followed by attachments, appearing in 23% of cases.
The purpose of these payloads was generally to steal credentials, said Chapman. These credentials can enable follow-up attacks and is a “commonly traded asset” among cybercriminals.
Most Phishing Emails Involve Impersonation
The report found that 89% of phishing emails sent between January 1 and August 31, 2024, involved impersonation – whether of a brand, department or individual.
Over a quarter (26%) of these emails impersonated brands unconnected to the recipient. Among these, 9.7% impersonated phone or video conferencing providers such as Zoom and 5.3% impersonated shipping services such as UPS or DPD.
Another popular impersonation technique was masquerading as the company the target is employed by, which made up 16% of all phishing emails.
HR, IT and finance were the most impersonated departments, as individuals in these areas regularly ask employees to carry out specific actions related to system use and payments.
Attackers are also getting better at tailoring attacks on employees according to their seniority levels. For example, new starters with a tenure of two to seven weeks were the most targeted individuals for phishing emails impersonating “VIPs” – typically senior executives within the organization such as the CEO.
Chapman noted that new employees are typically eager to please and be helpful, making them more susceptible to this tactic.
He added that attackers commonly use LinkedIn bots to identify new starters at organizations.
Read now: How to Outsmart Novel Phishing Tactics and Techniques
Commodity Attacks on the Rise
Egress observed the growing use of commodity phishing attacks – mass produced campaigns designed to overwhelm employees and cybersecurity administrators through sheer volume.
During a commodity campaign, target organizations experience a 2700% increase in phishing attacks compared to their normal baseline.
The prevalence of such campaigns has fluctuated. Egress observed that the popularity of commodity attacks peaked in December 2023, making up 13.6% of all phishing emails. The firm predicts a similar spike to occur in December 2024 as cybercriminals exploit increased legitimate advertising and brand emails during the festive holiday period.
Around three-quarters (72.3%) of commodity attacks used a hyperlink as a payload, followed by QR codes at 14%.
Chapman explained that many of the phishing emails sent during commodity campaigns are easy to detect but serve as “white noise” to enable more sophisticated phishing attempts to succeed.
“They’re purposefully being bad to enable an actual attack,” said Chapman.
Emergence of Multi-Channel Attacks
Another trend highlighted in the Egress report was attacks are carried out in stages across various channels. This approach is typically employed by advanced persistent threat (APT) groups who have the capabilities to carry out sophisticated and sustained campaigns against specific targets.
Chapman noted that while email is often the start and end point of these campaigns, there are numerous stages in the middle that utilize platforms like MS Teams and WhatsApp.
This multichannel tactic is a new vector, with attackers quickly evolving their approaches within it. They primarily aim is to move communications with targets between different platforms and devices, both business and personal.
“It makes sense from a criminal point of view to move across devices – you break audit trails, so if you are successful mitigation is harder,” noted Chapman.
“The other key element is psychological. People have been taught to be very careful about clicking links on email but often are not trained about clicking links on Teams or WhatsApp,” he added.
Phishing-as-a-Service Toolkits Offer AI-Powered Capabilities
Egress analyzed phishing-as-a-service toolkits available on the dark web, which enable less-skilled threat attackers to launch more sophisticated attacks than their own abilities would previously have allowed.
Of the toolkits analyzed, 74.8% referenced AI and 82% mentioned deepfakes to support phishing attacks.
Both the dark web marketplace sites and the sellers using them routinely offer assurance over the quality of their attacks and their own reputations. This includes guarantees of deliverability against Microsoft’s native defenses and major secure email gateway (SEG) providers.
Additionally, most of these providers offered 24/7 support to customers, typically via Gpg4win, Telegram, Signal and WhatsApp.