2023 Great eXpeltations report: top six findings


Bad news: 2022 was a big year in cybersecurity.

Good news: We stopped a lot of attacks.

Better news: We sure learned a lot, didn’t we?

We just released our Great eXpeltations annual report, which details the major trends we saw in the security operations center (SOC) last year…and what you can do about them this year. You can grab your copy now, and here’s a taste of what you’ll find.

Top findings from the Great eXpeltations report

1: Business email compromise (BEC) accounted for half of all incidents, and remains the top threat facing our customers.

This finding is consistent with what we saw in 2021. Key numbers:

  • Of the BEC attempts we identified: more than 99% were in Microsoft 365 (M365—previously known as Office 365, or O365) and fewer than 1% occurred in Google Workspace.
  • Fifty-three percent of all organizations experienced at least one BEC attempt, and one organization was targeted 104 times throughout the year.

2: Threat actors started moving away from authenticating via legacy protocols to bypass multi-factor authentication (MFA) in M365.

Instead, the bad guys have adopted frameworks such as Evilginx2, facilitating adversary-in-the-middle (AiTM) phishing attacks to steal login credentials and session cookies for initial access and MFA bypass. FIDO2 (Fast ID Online 2) and certificate-based authentication stop AiTM attacks. However, many organizations don’t use FIDO factors for MFA.

3: Threat actors targeted Workday to perpetrate payroll fraud.

In July, our SOC team began seeing BEC attempts, across multiple customer environments, seeking illicit access to human capital management systems—specifically, Workday. The goal of these attacks? Payroll and direct deposit fraud.

Once hackers access Workday, they modify a compromised user’s payroll settings to add their direct deposit information and redirecting the victim’s paycheck into the attacker’s account. (Which is just evil.) The lesson? Enforce MFA within Workday and implement approval workflows for changes to direct deposit information.

4: Eleven percent of incidents could have resulted in deployment of ransomware if we hadn’t intervened.

This represents a jump of seven percentage points over 2021. Microsoft has made it easier to block macros in files downloaded from the internet, so ransomware threat groups and their affiliates are abandoning use of visual basic for application (VBA) macros and Excel 4.0 macros to break into Windows-based environments. Instead, they’re now using disk image (ISO), short-cut (LNK), and HTML application (HTA) files.

Here are some stats we find interesting:

  • Hackers used zipped JavaScript files to gain initial access in 44% of all ransomware incidents.
  • ISO files were used to gain initial access in 12% of all ransomware incidents. This attack vector didn’t make our list in 2021.
  • Nine percent of all ransomware incidents started with an infected USB drive.

5: Six percent of business application compromise (BAC) attempts used push notification fatigue to satisfy MFA.

Push notification fatigue occurs when attackers send repeated push notifications until the targeted employee “authorizes” or “accepts” the request. This allows the attacker to satisfy MFA. (Hackers may or may not have learned this technique from their four year-olds at home.)

6: Credential harvesters represented 88% of malicious email submissions. Credential theft via phishing continues to grow with identity the main focus of today’s attacks.

The top subject lines in malicious emails that resulted in an employee click or compromise were, “Incoming Voice Message,” “Checking in,” and “Voice Mail Call received for <user’s email>.”

Our data shows that actionable, time-sensitive, and financially driven social engineering themes are most successful.

The full report tells you more—lots more—and provides insights and advice to help you defend against these threats. Give it a look and if you have questions drop us a line.