Threat actors are increasingly targeting trusted business platforms such as Dropbox, SharePoint, and QuickBooks in their phishing email campaigns and leveraging legitimate domains to bypass security measures, a new report released today has found. By embedding sender addresses or payload links within legitimate domains, attackers evade traditional detection methods and deceive unsuspecting users.
According to Darktrace’s Annual Threat Report 2024, the authors detected more than 30.4 million phishing emails, reinforcing phishing as the preferred attack technique.
Legitimate enterprise services hijacked for most phishing campaigns in 2024
Darktrace noted cybercriminals are exploiting third-party enterprise services, including Zoom Docs, HelloSign, Adobe, and Microsoft SharePoint. In 2024, 96% of phishing emails utilised existing domains rather than registering new ones, making them hard to detect.
Attackers were observed using redirects via legitimate services, such as Google, to deliver malicious payloads. In the case of the Dropbox attack, the email contained a link leading to a Dropbox-hosted PDF with an embedded malicious URL.
SEE: How business email compromise attacks emulate legitimate web services to lure clicks
Alternatively, threat actors abused hijacked email accounts, including those from Amazon Simple Email Service, belonging to business partners, vendors, and other trusted third-parties. The report’s authors say this “highlight(s) that identity continues to be an expensive problem across the estate and a persistent source of pain across enterprise and business networks.”
Phishing attacks surge with AI-generated tactics
Among the phishing emails that Darktrace found:
- 2.7 million contained multistage malicious payloads.
- More than 940,000 contained malicious QR codes.
The sophistication of phishing attempts continues to rise, with spear phishing — highly-targeted email attacks — making up 38% of cases. Meanwhile, 32% use novel social engineering techniques such as AI-generated text with linguistic complexity. This complexity might manifest as increased text volume, punctuation, or sentence length.
Darktrace collated insights from its more than 10,000 global customers for its Annual Threat Report 2024, leveraging self-learning AI, anomaly-based detection, and thorough analysis from its threat research team.
Living-off-the-land techniques: A growing security threat
Another attack method involves initial network breaches via vulnerabilities in edge, perimeter or internet-facing devices, followed by living-off-the-land techniques or LOTL.This strategy exploits pre-installed, legitimate enterprise tools to execute malicious activities while avoiding detection.
Darktrace found that 40% of identified campaign activity in early 2024 involved the exploitation of internet-facing devices, including from Ivanti Connect Secure, Ivanti Policy Secure, Palo Alto Network, and Fortinet. Attackers favor LOTL techniques because they eliminate the need for custom malware and reduce the risk of triggering traditional security alerts.
On top of exploiting vulnerabilities in these edge devices, threat actors are increasingly using stolen credentials to log into remote network access solutions like VPNs for initial network access, before leveraging LOTL techniques.
Ransomware groups exploit enterprise tools for stealth attacks
Ransomware groups — including Akira, RansomHub, Black Basta, Fog, and Qilin, along with emerging actors Lynx — have increasingly been using legitimate enterprise software. Darktrace has observed these groups using:
- AnyDesk and Atera to mask command-and-control communications.
- Data exfiltration to cloud storage services.
- File-transfer technology for rapid exploitation and double extortion.
SEE: Most Ransomware Attacks Occur When Security Staff Are Asleep, Study Finds
These groups are also frequently recruited for Ransomware-as-a-Service or Malware-as-a-Service, with the use of MaaS tools increasing by 17% from the first to the second half of 2024. Use of Remote Access Trojans, malware which allows an attacker to remotely control an infected device, also increased by 34% over the same period.