Over the past few years, the headlines have been peppered stories related to companies, states – cities – and now countries dealing with a ransomware attack. As we close out our 2022 Annual State of Phishing Report series, we address ransomware as it relates to phishing. While we very rarely see ransomware delivered directly via an email campaign, there are plenty of tactics used by threat actors as a leading entry into the organization. As we have repeatedly addressed, we can’t stress enough that credential phish, at 67%, remains the number one phishing threat today. Preparing organizations to identify and report suspicious emails has become even more critical.
Resiliency is key to defending against Ransomware
As we look at the attack chain specific to ransomware, there are several precursor steps that take place before the ransom note is delivered. The key to building a resilient workforce is providing them with relevant phishing simulation training that aligns to current threats hitting their inbox. When you’re assessing your simulation program, putting focus on the right metric is key. When it comes to defending against a real phishing campaign, reporting is key to early detection and mitigation. Therefore, your phishing simulation metrics should also focus on the report rate and how quickly users are reporting.
Zero Days are in play
As threat actors in the ransomware community have built up their resources, they are now able to step into the zero-day arena to further their attacks. A Microsoft zero day published in late May that has been weaponized by the QakBot group. Recently, researchers have been able to determine a link between QakBot and ransomware groups, shifting the dynamics of the uses of the campaigns.
Don’t forget about older malware or threat groups. Cofense has observed a tactic that we have only seen twice in the past five months. A banking trojan, known as IcedID, is being used to steal information such as credentials. What’s interesting about this campaign is the fact the threat actor leveraged an email from 2017, also using the reply-chain tactic. A reply-chain tactic takes a previous email and appends the new phishing threat as the last message, adding a confidence level to get the recipient to engage with the email. It’s no surprise the recipient thought this was suspicious and quickly reported this email to our Phishing Defense Center (PDC).
Credential Phish and HTLM attachments
Cofense reported credential phish taking a 10-percentage point jump over the previous year in our annual report. We continue to observe this as the top threat in the first half of 2022. While fewer attachments are landing in the inbox, the top file type that continues to be successful are HTML / HTM files. Organizations should look for ways to identify ways to mitigate this threat by tuning their controls. Identify which legitimate business applications or services send users this type of attachment and segment them into a Group Policy Object (GPO). This group can then be allowed to receive these types of attachments, while blocking the file type for others. It is also critical to educate the organization on the dangers of interacting with these files. A majority of these are used to deliver a spoofed credential input page, but we are starting to see this file type being leverage for delivering malware.
Get more information on the phishing threat insights from our 2022 Annual State of Phishing Report webinar series:
Learn more about Cofense Protect MSP, designed specifically for Managed Service Providers. Delivering instant phishing threat detection with Computer Vision technology paired with Cofense’s best in class training and simulation – helps your clients be more resilient to attack. Book a demo to see how you can provide advanced email security and phishing protection to keep your clients safe from today’s most sophisticated phishing attacks.
Author Tonia Dudley is strategic advisor at Cofense. Read more Cofense guest blogs here. Regularly contributed guest blogs are part of MSSP Alert’s sponsorship program.