The shifting landscape of phishing attacks

Nathaniel Jones at Darktrace explains how cyber-criminals are exploiting collaboration tools

 

Collaboration tools have become an integral part of the modern workplace, facilitating seamless interaction and file sharing among colleagues. In fact, 75% of people have reported adopting a new tool to help them better meet business communication challenges in the past 12 months.

 

While email remains a primary vector for phishing attacks, threat actors are now targeting employees through seemingly innocuous messages on collaboration platforms like Microsoft Teams, bypassing traditional email security measures. 

 

Inherent trust in these platforms can make employees less suspicious of messages and links shared through them, as they assume they are safe and legitimate. Cyber-criminals are capitalising on this trust, crafting convincing phishing messages that blend in with the regular flow of communication on these tools. 

 

The Microsoft Teams attack: a new frontier

One recent, and stark, example of this trend was an attack we identified on an international hotel chain, where cyber-criminals impersonated the hotel’s domain and attempted to harvest employee credentials through Microsoft Teams.

 

The attackers created and sent 63 messages across 21 different chats, affecting 21 unique SaaS users, all within a mere five minutes. Each chat contained an external URL that imitated Microsoft SharePoint’s legitimate domain through a technique known as ’typo-squatting’. 

 

Had an employee clicked on the malicious URL, they would have been directed to a fake SharePoint page presenting a document titled "New Employee Loyalty Program". Upon attempting to access this file, the unsuspecting user would be prompted to enter their credentials on a fraudulent Microsoft login page, effectively handing over their sensitive information to the attackers.

 

This attack demonstrates the level of sophistication and planning that goes into modern phishing campaigns, as well as the speed at which they can be executed. 

 

Challenges of securing a fragmented workplace 

The fragmented nature of the modern workplace, with multiple cloud services in use, makes it challenging for network administrators to keep track of all potential entry points for attackers. Traditional security solutions often struggle to detect and prevent these cloud based attacks, as they may not take user behaviour into account when assessing the legitimacy of access attempts.

 

Account takeover is the most common initial access method. In fact, Google Cloud’s 2023 Threat Horizons Report found that 86% of breaches involve stolen credentials, and credential issues account for over 60% of compromise factors 

 

As businesses adopt an increasing number of cloud services and collaboration tools, the attack surface expands, providing more opportunities for cyber-criminals to infiltrate networks. Each new platform introduces its own set of vulnerabilities and potential entry points, making it difficult for security teams to maintain a comprehensive view of their organisation’s security posture. 

 

The rise of AI-powered phishing 

As cyber-criminals continue to refine their phishing techniques, they are also increasingly turning to artificial intelligence (AI) to create highly personalised and convincing messages.

 

By leveraging AI algorithms, attackers can analyse vast amounts of publicly available data to craft targeted phishing emails that are tailored to the recipient’s interests, job role, and even personal life.

 

In our End of Year Threat Report, we analysed over 10 million phishing emails targeting customer environments between September 1 and December 31, 2023.  Our findings signal that attackers are starting to take advantage of advancements in AI, including using Generative AI tools such as Large Language Models (LLMs) to create more convincing and sophisticated phishing messages. 

 

For example, an AI-powered phishing campaign could scan an employee’s social media profiles to gather information about their hobbies, recent vacations, or professional connections. This information can then be used to create a highly persuasive phishing message that appears to come from a trusted source, such as a colleague or a company they have recently interacted with.

 

By personalising the message and making it more relevant to the recipient, cyber-criminals can significantly increase the likelihood of the employee falling for the scam. 

 

The use of AI in phishing attacks also allows cyber-criminals to scale their campaigns more effectively. In the first two months of 2023, we saw a 135% increase in ‘novel social engineering attacks’, corresponding with the widespread adoption of ChatGPT, and we continued to see this rise by 35% at the end of last year.

 

Rather than manually crafting individual messages, attackers can use AI to generate thousands of personalised emails, each tailored to a specific recipient. The attackers don’t even need to speak the language of the individuals or groups they’re targeting. LLMs lower language barriers for attackers; using their native tongue, they can simply ask the Generative AI to write a message in the language of their choosing.

 

This automation enables them to target a much larger number of potential victims, increasing the chances of a successful attack.  

 

A proactive approach to cyber-security

As cyber-criminals continue to evolve their tactics, organisations must adopt a proactive and comprehensive approach to cyber-security. This includes not only fortifying email security but also extending protection to collaboration tools and cloud services. Employees should be regularly trained on identifying and reporting suspicious messages, regardless of the platform they arrive on. 

 

A proactive approach to cyber-security involves continuous monitoring and analysis of user behaviour across all communication channels. By establishing a baseline of normal activity, security teams can more easily identify anomalies and potential threats.

 

Regular security awareness training for employees is also crucial, as it empowers them to become the first line of defence against phishing attempts. This training should cover not only email-based phishing but also the emerging threats posed by collaboration tools and cloud services. 

 

Fighting AI with AI

Businesses should also be considering implementing advanced security solutions that leverage AI to detect and respond to threats in real-time. AI powered tools can analyse vast amounts of data from multiple sources, identifying patterns and anomalies that may indicate a potential threat.  

 

Crucially, a combination of multiple AI methods is the most effective way to improve cyber-security, improving threat detection, accelerating threat investigation and response, and providing visibility across an organisation’s digital environment.

 

AI security tools can keep an eye on a customer’s email, cloud services, and network, looking for any unusual activity. If something suspicious is found in multiple places, advanced AI can connect the dots to see the bigger picture. The AI then explains the potential security threat in simple terms, making it easy for the customer to understand what’s going on and take action to protect themselves. 

 

AI driven security solutions can automate many of the manual tasks associated with threat detection and response, freeing up security teams to focus on more strategic initiatives. 

 

Safeguarding the modern workplace

By staying informed about the latest attack trends and investing in robust, adaptive security solutions, organisations can better protect their employees and sensitive data from the evolving landscape of phishing attacks.

 

As the lines between email, collaboration tools, and cloud services continue to blur, a holistic approach to cyber-security is essential to safeguarding the modern workplace. 

 

This holistic approach should encompass not only technological solutions but also people and processes. By fostering a culture of security awareness, encouraging open communication about potential threats, and implementing clear incident response plans, organisations can build resilience against even the most sophisticated phishing attempts.

 

Ultimately, the key to staying ahead of cyber-criminals lies in remaining vigilant, adaptable, and proactive in the face of an ever-changing threat landscape. 

 

---

 

Nathaniel Jones is Director of Strategic Threat and Engagement at Darktrace

 

Main image courtesy of iStockPhoto.com and Just_Super