May 30 Webinar | SOC Talk: Automating Threat Response
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
May 01, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
Key Points
It will come as no surprise that phishing was the most popular way for threat actors to initially access a targeted network in 2023—representing a staggering 71.1% of all tactics, techniques, and procedures (TTPs) observed in ReliaQuest customer true-positive incidents. Phishing has become ubiquitous and deeply ingrained in cybercrime. That such an old technique continues to dominate the first stage of the attack chain illustrates its effectiveness and constant threat, despite advancements in cybersecurity and newer, more sophisticated attack vectors. Its success is rooted in its simplicity and exploitation of the most vulnerable link in any security system: humans.
To provide current insights into threat actors’ use of phishing, we analyzed data from January 2024 activity in the environments of ReliaQuest customers, spanning multiple sectors and regions. We aimed to examine real-world examples and uncovering the latest patterns in phishing attacks. The result is actionable advice provided throughout this report, enabling defenders to proactively safeguard against this threat.
Our data showed that phishing campaigns against organizations frequently use disposable email accounts set up with Azure, Microsoft’s cloud computing platform, all with similar naming conventions. This indicates that the creation of the accounts is likely automated and occurring on a very large scale, and that the popular recommendation to block individual senders is ineffective.
Figure 1: Sample of abused onmicrosoft.com emails
The addresses of malicious sender accounts seem to follow a naming pattern: [word]_[random string]@x[6 random characters].onmicrosoft.com. Attackers seem to be exploiting the Microsoft 365 ecosystem by creating numerous trial accounts with that software suite, which inherently offers access to Exchange Online. The latter is a key component of the Microsoft 365 suite, providing email hosting and enabling users to manage their email, calendar, and contacts.
Threat actors can automatically enable Exchange Online, likely by using a script, and use the legitimate platform to launch their phishing campaigns. Taking advantage of a trusted corporate service to distribute phishing messages lends authenticity to the malicious activity. And it can be very effective: Phishing campaigns will persist until the trial period ends or the account is shut down to prevent malicious activity.
The use of Azure for temporary phishing email accounts is notable because of the domain containing “microsoft.com”. The recipient of a message from such an account may mistake it for a Microsoft email, especially if the subject line conveys urgency—and quickly click a phishing link or malicious attachment. Compared to other free email providers, such as Gmail, this tactic is more challenging to identify as phishing, making it an ideal strategy for threat actors. It is highly probable that the abuse of Azure email accounts will continue to see an upward trend.
To counter the use of Azure accounts sending phishing emails, establish a detection method that targets the common naming convention. Specifically, set up an email quarantine policy to isolate messages sent by an address including @x<random>.onmicrosoft.com. This will capture suspicious emails before they reach users’ inboxes, in a dynamic, pre-emptive defense approach.
According to our data set, phishing operators are choosing from multiple techniques to deliver malicious files. Here are some of the most common ones we saw:
Approximately 50% of the attachment file types we identified were HTM/HTML or PDF, suggesting that HTML smuggling and malicious redirection remain favored tactics to harvest credentials. Files are strategically named to seem credible and pressing; ReliaQuest has pinpointed the five most frequently used keywords in our data set’s phishing filenames, which were intended to entice recipients to open attachments:
There was also a 10% increase in emails mentioning “tax” and “taxes” from December 2023 to January 2024, aligning with the onset of tax season in many countries. During that timeframe, staff are more likely to expect tax-related communication. Threat actors are very likely considering current events when devising phishing emails, aiming to boost the likelihood that an unsuspecting user will interact with the email.
Threat actors can choose from options when seeking a host for their malicious content (such as the notable ones described below). Once the fraudulent webpage is live, the attacker distributes links to it, through phishing emails, social-media messages, or other digital communication channels, targeting unsuspecting users. Interaction with the link directs the user to the counterfeit page. Here, they might be prompted to either download a file or enter sensitive information, such as login credentials, personal data, or financial details, believing they are complying with a legitimate request.
To circumvent email and network security, phishing operators are increasingly abusing the IPFS: a protocol and network that enables a content-addressable, peer-to-peer method of storing and sharing hypermedia in a distributed file system. Attackers are crafting phishing attacks by embedding fraudulent forms within HTML files, which they then upload to the IPFS. On this distributed network, the malicious HTML files can be accessed via IPFS gateways—specialized web services that allow anyone with a web browser to retrieve files from IPFS without special client software. Phishing operators send emails that include links to these gateways. When recipients click on the links, they are directed to the deceptive forms hosted on the IPFS, and may unwittingly input sensitive details.
We’ve seen an increase in use of the IPFS system in phishing campaigns, which can dynamically adapt to the target: changing a page’s content and simulated branding to whatever is appropriate to trick that particular page visitor. This makes the phishing extremely difficult to detect. Using the IPFS is highly attractive for cybercriminals looking to publish content on a network without establishing their own infrastructure. As a bonus, a distributed file system like IPFS lets them minimize the costs associated with hosting malicious phishing pages.
The gateway provider ipfs[.]io has been used the most to facilitate this phishing technique. We’ve also identified other IPFS services linked to phishing activities, such as cloudflare-ipfs[.]com and dweb[.]link. These webpages that host IPFS content seem to exhibit similar patterns, typically following this format: https://[gateway]/ipfs/[CID Hash].
Figure 2: IPFS phishing email log example
To counter phishing activity abusing the IPFS, gateway providers try to identify and remove links to malicious files, disrupting the accessibility of these fraudulent resources. For organizations, ReliaQuest recommends configuring email filtering rules to flag and isolate messages containing URLs that follow the patterns typically used by IPFS gateways. Or, if IPFS services are not used within the business, block them altogether.
Some threat actors are using compromised legitimate WordPress websites to host malicious content—although a less common practice than creating new infrastructure and one requiring more effort than using IPFS, for example. Various techniques can be employed, but compromised WordPress sites are typically associated with drive-by compromise.
Upon gaining access to a WordPress website, the attacker creates a fraudulent webpage, without the site owner’s knowledge. The page either mirrors a well-known page, such as a Microsoft login page, or at least matches the colors and font of the compromised site to appear legitimate.
The likelihood of traffic to a compromised WordPress page being blocked is much lower than it is for IPFS infrastructure, owing to the legitimate root domain. Trust in the root domain’s authenticity leads users to be less suspicious of the content, increasing the chances that they’ll interact with it. This makes compromising WordPress sites an attractive method of conducting covert operations.
Dynamic web application hosting is increasingly popular; platforms such as Netlify and Cloudflare R2 enable attackers to upload web application code and execute it within a temporary sandbox, which can host credential-harvesting pages. These dynamic phishing pages are adept at evading detection while presenting seemingly legitimate content to gain users’ trust—a blend of stealth and authenticity that appeals to cybercriminals.
Dynamic hosting services are highly available and scalable; when used maliciously, threat actors can rapidly create and distribute links to phishing sites. In addition, without the need to maintain a dedicated server, attackers can quickly adapt and change their tactics with minimal effort and cost. They can also exploit the reputations of these well-known hosting platforms to bypass unsophisticated security filters that block only unknown or disreputable domains.
For most standard business applications, there is often little reason to permit access to content from r2[.]dev (Cloudflare) or netlify[.]app. If those domains aren’t applicable to business operations, restrict access to them at the network’s edge.
In one noteworthy strategy, a threat actor embedded AWS credentials within a phishing link. As illustrated in the example below, the URL included the AWS access key required to access the contents of the AWS instance where the malicious content was hosted. This approach is quite rare and is probably designed to hinder public scanners from detecting and eliminating phishing pages. This prolongs the lifespan of the phishing infrastructure and ensures that only individuals possessing the access key can visit the site.
Notably, it can be difficult for recipients to identify the URL as phishing due to the legitimate root domain. Since public scanners are unable to flag the content as phishing, adversaries can increase the likelihood of bypassing email security and directing successful traffic to the malicious infrastructure, thereby increasing the chances of successfully harvesting credentials. We’ll likely continue to see this tactic, given that AWS is a highly prevalent domain and it’s difficult to employ dynamic detections on the infrastructure.
Figure 3: Amazon AWS URL access key example
In addition to the tailored mitigation steps mentioned throughout this report, we offer the following inexhaustive list of recommendations and best practices. These actions will help establish a secure foundation against phishing-related TTPs we have observed recently.
Get a live demo of our security operations platform, GreyMatter, and learn how you can improve visibility, reduce complexity, and manage risk in your organization.