Cybercriminals favor phishing as primary entry point for attacks

Cybercriminals favor phishing as primary entry point for attacks

In the ever-evolving landscape of cybersecurity, a new report from ReliaQuest sheds light on the ongoing threat of phishing attacks and the tactics employed by notorious threat actors such as Scattered Spider.

According to the report, phishing remains the most prevalent method used by threat actors to gain initial access, accounting for a staggering 70% of all initial access-related incidents in 2023. This statistic underscores the importance of addressing phishing vulnerabilities in organisational defences.

One of the key findings of the report is the widespread impersonation of trusted brands in phishing attempts. Microsoft leads the pack, accounting for 25% of all phishing attempts, followed by Google (11%), Apple (9%), and a surprising resurgence of Spotify (6%). These campaigns targeted multiple sectors, including finance, healthcare, and retail.

ReliaQuest's report also highlights the increasing sophistication of phishing attacks that bypass traditional security controls. For instance, attacks often originate within Microsoft’s own environment, making them harder to detect. Microsoft is responding by updating default settings to require administrative approval for third-party app permissions, aiming to reduce these internal-originated attacks.

Scattered Spider, a noteworthy and active ransomware group, uses social engineering as its primary tactic. Their attack chain relies heavily on tricking IT help desk staff, impersonating employees, and employing "MFA fatigue" attacks to gain access. This makes conventional network security insufficient to prevent incursions once social engineering succeeds.

The report reveals that Scattered Spider also engages in typo-squatting, registering impersonating domains and subdomains to conduct phishing and steal credentials, especially targeting technology vendors. This allows them to deceive multiple organizations with a single fake domain, highlighting the need for early detection of such domains to halt phishing campaigns.

As phishing attacks become more personalized and technologically sophisticated, AI-driven methods increasingly automate vulnerability exploitation and phishing scale-up. Vulnerability exploitation is responsible for 45% of initial accesses in ReliaQuest customer incidents.

To combat phishing, ReliaQuest encourages organisations to focus on authentication techniques, including biometrics and reducing session token lifetimes. The report also stresses the importance of out-of-band verification, especially of help-desk contacts, limiting remote tool access, and continuous validation of defensive controls.

Despite the report's findings, it did not provide any specific recommendations for organisations to protect themselves from phishing attacks nor did it detail other tactics, techniques, and procedures used by threat actors in 2023.

Scattered Spider, responsible for major attacks against MGM Resorts, Caesars Entertainment, and Clorox, was also found to have used cloud administrative commands to modify configurations in the Microsoft Azure platform.

In summary, the ReliaQuest Annual Cyber-Threat Report underscores that phishing remains a dominant and evolving threat, amplified by social engineering tactics like those used by Scattered Spider, brand impersonation, and emerging AI-driven exploitation techniques. Organisations are urged to prioritise phishing mitigation strategies to safeguard their digital assets.

[1] ReliaQuest Annual Cyber-Threat Report, 2023 [2] Scattered Spider: The Rise of a Notorious Ransomware Group, ReliaQuest, 2023 [3] The Impact of Phishing on Organisations in 2023, ReliaQuest, 2023 [5] AI and the Evolution of Phishing Attacks, ReliaQuest, 2023

1. The report from ReliaQuest reveals that AI-driven methods are increasingly automating vulnerability exploitation and phishing scale-up, making up 45% of initial accesses in ReliaQuest customer incidents.
2. Scattered Spider, a notorious ransomware group, employs AI-driven tactics, such as typo-squatting, registering impersonating domains and subdomains to conduct phishing and steal credentials, especially targeting technology vendors.
3. To combat the evolving phishing threat, organisations should prioritise phishing mitigation strategies, focusing on authentication techniques, including biometrics and reducing session token lifetimes, as suggested by the ReliaQuest Annual Cyber-Threat Report.

Read also: