Both criminal and nation-state threat actors have “rapidly increased in sophistication” over the past twelve months, according to Microsoft’s Digital Defense report. Microsoft found that attackers are putting more effort into social engineering tactics, and they’re incorporating more familiar techniques like credential stuffing to maximize their effectiveness.
“Email phishing in the enterprise context continues to grow and has become a dominant vector,” the report states. “Given the increase in available information regarding these schemes and technical advancements in detection, the criminals behind these attacks are now spending significant time, money, and effort to develop scams that are sufficiently sophisticated to victimize even savvy professionals. Attack techniques in phishing and business email compromise (BEC) are evolving quickly. Previously, cybercriminals focused their efforts on malware attacks, but they’ve shifted their focus to ransomware, as well as phishing attacks with the goal of harvesting user credentials.”
Microsoft warns that attackers are automating their attacks in order to avoid detection,which results in millions of new malicious URLs being distributed each month.
“In 2019 we blocked over 13 billion malicious and suspicious mails, out of which more than 1 billion were URL-based phishing threats (URLs set up for the explicit purpose of launching a phishing credential attack),” the report says. “These URLs were set up and weaponized just in time for the attacks and had no previous malicious reputation. We’re seeing approximately 2 million such URL payloads being created each month for credential harvesting, orchestrated through thousands of phishing campaigns.”
Microsoft notes that the number of COVID-19 themed phishing attacks has fallen in recent months, after spiking in March. This isn’t surprising: the attackers exploited the chaos and confusion at the start of the pandemic, then adapted their lures when things (sort of) began to settle down.
“Over the past several months, we have seen cybercriminals play their well-established tactics and malware against our human curiosity and need for information,” Microsoft says. “Attackers are opportunistic and will switch lure themes daily to align with news cycles, as seen in their use of the COVID-19 pandemic.”
While attackers are constantly evolving their tactics to evade new defenses, Microsoft notes that most of these attacks are still fundamentally similar.
“Despite sophistication and diversity of the attacks, the methodology is often the same, whether the actors use large-scale attacks for financial gain or targeted attacks to support geopolitical interests,” the report says. “A phishing email can be a massive campaign targeting millions of users or a single, targeted email that represents a socially engineered marvel many months in the making.”
Likewise, Microsoft points out that organizations and individuals can thwart most cyberattacks by implementing basic security hygiene.
“Given the leap in attack sophistication in the past year, it is more important than ever that we take steps to establish new rules of the road for cyberspace: that all organizations, whether government agencies or businesses, invest in people and technology to help stop attacks; and that people focus on the basics, including regular application of security updates, comprehensive backup policies and, especially, enabling multi-factor authentication (MFA),” Microsoft says. “Our data shows that enabling MFA would alone have prevented the vast majority of successful attacks.”