Darktrace: 96% of Phishing Attacks in 2024 Exploated Trusted Domains Including SharePoint & Zoom Docs -

Threat actors are Increasing Targeting Trusted Business Platforms Such as Dropbox, Sharepoint, and Quickbooks in Thei Phishing Email Campaigns and Leveraging Legitimate Domains to Bypasss to Bypasss Measures, a new report released today has found. By Embedding Sender Addresses or Payload Links Within Legitimate Domains, Attackers Evade Traditional Detection Methods and DECEUSPECTING Users.

According to Darktrace’s Annual Threat Report 2024, The Authors Detected More Than 30.4 Million Phishing Emails, Reinforcing Phishing as the Preferred Attack Technique.

Legitimate Enterprise Services Hijacked for Most Phishing Campaigns in 2024

Darktrace noted cybercriminals are exploiting Third-party Enterprise Services, Including Zoom Docs, Hellosign, Adobe, and Microsoft Sharepint. In 2024, 96% of Phishing Emails Utilized Existing Domains Rather Than Registering New Ones, Making Them Hard to Detect.

Attackers were observed using redirects via legitimate services, such as google, to deliver malicious payloads. In the case of the dropbox attack, the email contained a linking to a dropbox-hosted pdf with an embedded malicious url.

See: How Business Email Compromise Attacks Emulate Legitimate Web Services to Lure Clicks

Alternatively, Threat actors abused Hijacked email accounts, Including thats from amazon simple email service, belonging to business partners, vendors, and other Trusted Thirds-Parties. The Report’s Authors Say this “Highlight (s) That Identity Continues to Be an Expected Problem Account and a Persiste Source of Pain Across Enerprise and Business Networks Networks.”

Phishing Attacks Surge With Ai-Generated Tactics

Among the phishing emails that darktrace found:

2.7 Million Contained Multistage Malicious Payloads.
More than 940,000 Contained Malicious Qr Codes.

The sophistication of phishing attempts continues to risk, with Spear Phishing-Highly-Targeted Email Attacks-Making Up 38% of Cases. Meanwhile, 32% use novel social engineering technique This complexity might manifest as increment volume, punctuation, or sentence length.

Darktrace collated insights from its more than 10,000 global customers for its Annual Threat Report 2024Leveragging self-learning ai, anomaly-based detection, and thorough analysis from its threat research team.

Living-off-the-Land Techniques: A Growing Security Threat

Another Attack Method Involves Initial Network Breaches Via Vulnerabilites in Edge, Perimeter or Internet-Facing Devices, Followed by Living-Off-Land Technique Explits Pre-Installed, Legitimate Enterprise tools to Execute Malicious Activities While Avoiding Detection.

Darktrace found that 40% of identified campaign activity in early 2024 involved the exploitation of internet-facing devices, including from Ivanti Connect Secure, IVANTI POLICY POLICY SECURE, PALOLO ALTO Network, and Fortinet. Attackers Favor Lotl Techniques BeCause The Need for Custom Malware and Reduce the Risk of Triggering Traditional Security Alerts.

On top of exploiting vulnerabilityes in these edge devices, threat actors are increases Leveragging lotl technique.

Ransomware groups exploit enterprise tools for stealth attacks

Ransomware Groups – Including Akira, Ransomhub, Black Basta, Fog, and Qilin, Along with emerging actors lynx – Have Increasing Legitimate Enerprise Software. Darktrace has observed these groups using:

Anydesk and ATERA to Mask Command-Control Communications.
Data exfiltration to cloud storage services.
File-Transfer Technology for Rapid Explitation and Double Extortion.

See: Most Ransomware Attacks Occur When Security Staff are Asleep, Study Finds

These groups are also frequently recruited for ransomware-a-service or malware-a-a-service, with the use of maas tools tools tools tools to 17% from the first to the second half of 2024. Use of 2024. Access Trojans, Malware which allows an attacker to remove control an infected device, also increase by 34% over the same period.