Phishing remains a persistent and pervasive threat in the digital landscape preying on end users and organisations alike. As technology advances, phishing campaigns continue to improve in sophistication, emphasising on the need for vigilance and awareness. To support your organisation in better protecting itself against this ever-present threat, here is an overview of the five most emerging phishing trends.
Despite being one of the oldest types of cyberattacks, phishing continues to pose significant challenges to organisations of all sizes, in all sectors. Cybercriminals continue to evolve their phishing attack techniques, experimenting with different lures, adopting new social engineering tricks, and embracing new ways to avoid detection. In this blog we share valuable insights into the latest ways threat actors try to bypass your organisation’s defences and zoom in on how to better protect yourself.
Emails Sent From Trusted Third Parties
Attackers increasingly send phishing emails to all the contacts of their victims and then respond on the email thread with specially crafted messages and a malicious URL.
Emails with Legitimate URLs
Attackers host phishing URLs on legitimate cloud service providers such as Adobe, Dropbox, Google, and Microsoft. After multiple redirects, victims are led to the final landing page, which steals credentials or downloads malicious payloads onto their machine. Given these are popular services, it is difficult to distinguish malicious links from genuine ones.
OneNote Malware
Attackers abuse OneNote to execute malicious software. Phishing campaigns observed by Microsoft Defender Experts include OneNote attachments, URLs leading users to download OneNote attachments, and PDFs containing URLs that led to OneNote malware downloading.
OAuth Device Code Phishing
The attacker generates a user code, then creates a phishing email with it and a link to provide the code. This allows the attacker to sign-in on behalf of the user.
Other Targeted Phishing Attempts
Microsoft’s experts also observed targeted phishing attempts in which attackers identified user-specific details through social engineering, then created tailored phishing campaigns using look-alike domains to which the users have subscribed, with contents matching the users’ interests. This significantly increases the success rate of a compromise attempt.
How to Step Up Your Game
The first step in defending your business against phishing is making sure that your employees know that these attacks exist and what they consist of. With education being one of the best defences against phishing, phishing simulation tools are a great way to decrease click rates and possible data breaches.
Want to learn more about how Microsoft’s Attack Simulation Training can empower your employees to defend against phishing attacks? Our Microsoft experts are keen to get you up to speed on its key capabilities and best practices with regards to the set-up, deployment, and reporting during our ‘Security Awareness with Microsoft‘ webinar on February 29th, 10am (GMT).
