Cybercriminals increasingly using legitimate websites to hide malicious payloads
A new report shows a 121 percent increase in cybercriminals using legitimate websites to obfuscate malicious payloads.
The report from Egress, based on data from its Egress Defend cloud email security solution, shows YouTube, Amazon AWS, Google Docs, Firebase Storage, and DocuSign to be the top 10 most frequently used sites.
Jack Chapman, VP of threat intelligence at Egress, says:
The evolution of phishing emails continues to pose a major threat to organizations, emphasizing the need to enhance defenses to prevent attacks.
Although traditional signature-based detection can filter out phishing emails with known malicious payloads (attachments and links), cybercriminals are constantly refining their attack methods to bypass existing detection systems and appear more credible to their victims. Our report reveals that attacks are increasingly leveraging social engineering, advanced technical measures, and compromised email addresses to deliver sophisticated payloads or defraud organizations. Every attack we analyzed had bypassed other forms of anti-phishing detection, including secure email gateways (SEGs). By producing this report, we intend to equip cybersecurity professionals with insights into advanced attacks, highlight the necessity of evolving defenses in their cloud email platform, and provide strategic recommendations to help them do so.
The findings also reveal a 51 percent increase in phishing emails sent from compromised legitimate email accounts in the first four months of 2023. When analyzing these attacks, researchers found that 71 percent of the attachment-based payloads were HTML smuggling attacks. These allow the attacker to build malware behind an organization's firewall and present a highly evasive attack technique that is increasing in prevalence as it enables phishing emails to bypass traditional email security controls.
The full report is available from the Egress site.