Expel Quarterly Threat Report volume IV: Phishing trends

Security operations · 3 MIN READ · AARON WALTON · JUL 25, 2024 · TAGS: MDR / Phishing

TL;DR

This is a summary of what you’ll find in each blog in this series:

• Volume I: Q2 by the numbers. We’ll look at an overview of incidents and which attack types are trending. This is a summary of all the volumes for this quarter.
• Volume II: Attackers advance with AI. In many cases, attackers use AI in place of the skills they don’t have or to augment their existing capabilities. We share examples and insights from attacks we’ve seen against our own customer base.
• Volume III: Malware infection trends.. We discuss what types of malware appear to be trending (spoiler alert: it’s Remote Access Trojans [RATs]) and long-time threats that don’t appear to be going away anytime soon. 
• ➡️ Volume IV: Phishing trends. Phishing-as-a-Service (PhaaS) platforms make phishing easy. These services really took off in the last year and a half and show no sign of stopping. We share what these are, how they work, and how they can be counteracted.
• Volume V: Latent-risk infostealing malware. Infostealers present a serious risk to businesses. We examine recent notable breaches involving infostealers, highlighting the importance of being able to detect, mitigate, and respond to this form of malware.

In volume I of our threat report series, we highlighted that identity-based incidents are the top incident type we observe, quarter-over-quarter—largely the result of the increasing accessibility of Phishing-as-a-Service (PhaaS) platforms. In this volume, we take a closer look at PhaaS platforms and notable trends in attackers’ authentication sources.

Phishing platforms

Tools to perform phishing attacks aren’t new. Some are even helpful for red teams and penetration testers. However, over the last year and a half, cybercriminals launched several new Phishing-as-a-Service (PhaaS) platforms, and the function of these platforms unfortunately helped many attackers in their phishing campaigns.

Like the Platform-as-a-Service (PaaS) offerings that we’re familiar with in the IT world, PhaaS tools can make a robust platform easily available to attackers. The platform removes work required to set up hosting and can provide attachment templates, leaving the hard work to the platform developers and less overhead and work for attackers to carry out their campaigns. 

For defenders, the availability of PhaaS offerings requires us to have defense-in-depth in place to ensure there are multiple opportunities for organizations’ security teams to detect an attack. This may mean verifying their email gateway is configured correctly and securely, blocking certain types of emails and attachments, detecting suspicious authentications, restricting access to certain geolocations or devices, or identifying malicious activity under an account (such as malicious inbox rules).

Defense-in-depth also allows defenders to observe patterns and build additional defenses. PhaaS services often create obvious patterns, thanks to the attachments or authentication sources they use attempting to log into an account. In fact, we successfully identified malicious logins from one PhaaS because the malicious logins come consistently from a few specific hosting providers, often using a few specific uncommon user-agents.

Logging in

Whether via an AI-built Python script or a PhaaS service, attackers use stolen credentials to attempt to login and abuse accounts—creating an important detection opportunity for defenders. Monitoring for logins with suspicious authentication sources is often a good indication of malicious activity. Chart 1 breaks down suspicious sources we identified this quarter.

In Q2, we found that 46% of malicious logins were from suspicious infrastructure. We define suspicious infrastructure as hosting providers and virtual private server (VPS) providers.

The providers range from lesser-known entities (such as Clouvider and GhostVPS) to the well-known (such as Azure and AWS). The use of a VPS allows attackers to distance themselves from the IP address associated with the login, helping them stay anonymous. The server locations can also help the attacker make their login appear to be from a closer and less suspicious location, making geolocation and regional-based detections less effective. Some business partners and SaaS solutions may use these same providers, making activity even less anomalous.

But attackers hide their location in other ways, too. In 14% of incidents, threat actors leveraged VPNs and TOR routing to disguise their location. With VPNs and TOR, attackers can set their location to a country or region more consistent with the victim they’re targeting. In another 2% of incidents, attackers used residential proxies—infected devices, such as home computers or phones, that an attacker can use like a VPN to hide their traffic. 

Even though threat actors have the means to disguise themselves, suspicious locations are still an important indicator of malicious activity. In fact, we identified 31% of incidents because the attacker’s geolocation differed substantially from the victim’s expected location. 

Stay tuned as we wrap up this series with a deeper dive on the latent-risk of infostealing malware.

If you have questions or want to keep the conversation going, feel free to drop us a line, any time.

About these reports

The trends described in our QTRs are based on incidents our security operations center (SOC) identified through investigations into alerts, email submissions, or threat hunting leads in the second quarter (Q2) of 2024. We analyzed incidents across our customer base, which includes organizations of all sizes, in many industries, and with differing security maturity levels. In the process, we sought patterns and attacker tendencies to help guide strategic decision-making and operational processes for your team.