The Evolution of Phishing Campaigns

September 11, 2023 16 mins

The Evolution of Phishing Campaigns

In 2022, phishing was responsible for more than half of the incidents investigated by Stroz Friedberg. Stroz Friedberg has seen phishing evolve over the years with many innovative and creative techniques.

Summary

In 2022, phishing was responsible for more than half of the incidents investigated by Stroz Friedberg. Stroz Friedberg has seen phishing evolve over the years with many innovative and creative techniques such as:

Brand impersonation: Threat actors pose as a trusted brand or company to lure victims into disclosing sensitive or otherwise proprietary information.
Consent phishing: Threat actors use malicious applications to gain wholesale, persistent mailbox access.
Targeting helpdesk: Threat actors leverage support tickets through Service Desk platforms to deliver phishing links.

Threat actors are finding innovative ways to deliver phishing campaigns and lower the barrier of entry for phishing, including use of “phishing-as-a-service” subscription models, advanced AI chatbots, and SMS messaging and voice platforms.

Introduction

In the ever-growing landscape of cyber threats, phishing continues to be one of the most prolific and successful tactics that threat actors use to launch highly effective campaigns across email, SMS messaging, and voice platforms. In 2022, phishing was responsible for 52% of the initial access methods observed by incident responders across the industry.¹ At Aon’s Stroz Friedberg Incident Response services, more than half of the matters analyzed in 2022 included phishing as the initial access technique. As more companies recognize these risks and implement security solutions for safeguarding, threat actors adapt and identify ways to circumvent these protections. This blog post explores several emerging trends that Stroz Friedberg has observed in recent phishing campaigns, including advanced social engineering tactics across email platforms, a rise in phishing-as-a-service, and shifts from attacks on email platforms to those on mobile phones. Though many of the emotional appeals behind phishing campaigns continue to play a role in these social engineering attacks, Stroz Friedberg has recently observed frequent usage of several sophisticated phishing techniques. Organizations should be aware of these techniques and implement the controls discussed at the end of this article to minimize their risk of impact.

Advanced Email Phishing

The advent of dial-up internet and global communication in the 1990s brought about the first phishing scams ever observed. From one of the first widespread phishing scams ever conducted in 2000, the Love Bug virus,² to the major breaches incurred by Facebook and Google in 2013 and 2015,³ phishing scams have constantly evolved with increasingly sophisticated and evasive techniques. According to Proofpoint’s 2023 State of the Phish report,⁴ one in eight organizations experienced a breach in 2023. Moreover, the report notes that investigators observed a 76% increase from 2022 in successful phishing attacks that directly led to an organization’s financial loss.

Across these campaigns, behind the numbers lay several important trends—more campaigns are impersonating well-known brands such as Microsoft’s and Google’s productivity suites to lure victims into providing their credentials and/or consenting to malicious OAuth applications, leveraging distribution lists to target a wide reach of privileged victims, as well as increasing usage of phishing kits to launch large-scale, automated attacks against organizations.

Phishing and Brand Impersonation

Many organizations legitimately use services offered by the big brand companies such as Microsoft, Google, Amazon, Facebook, and others. As such, threat actors often exploit the trust associated with these reputable brands by falsely impersonating the organization or its employees to lure customers into disclosing sensitive information. Due to the significant presence of these major names across industries, brand impersonation attacks have been gaining traction across multiple sectors. Stroz Friedberg has observed an uptick in phishing attacks abusing Microsoft and Google’s productivity services, such as Microsoft’s SharePoint and OneNote, or Google’s Drive and Docs. Using the perceived legitimacy through brand recognition, threat actors can trick customers into providing their login credentials or installing malware onto their systems. For example, many organizations have recently observed malware delivery through malicious Microsoft OneNote attachments. Threat actors can customize such attachments to install malware upon opening or executing the attachment, unlike phishing links that trick users to divulge sensitive information on fraudulent login sites.

Below is an example of a threat actor imitating Microsoft’s SharePoint service to lure its victim to open a fraudulent SharePoint link. The victim is redirected to a document containing instructions to enter credentials into a fraudulent login page, ultimately allowing the threat actor to capture the victims’ information.

Phishing email and linked webpage imitating a SharePoint notification.

Stroz Friedberg has also observed instances in which the threat actor uses a legitimate SharePoint link in the phishing email, allowing the email to evade Microsoft’s spam filters, which ultimately redirects to a SharePoint document that contains instructions for the victim to click on the final, malicious phishing link.

Consent Phishing

Threat actors often phish for user credentials which are then leveraged to access mailboxes or other similar platforms containing the targeted information. However, upon discovery, threat actors can easily be kicked out with a password reset. To counter this, Stroz Friedberg has observed an increase in threat actors using malicious Azure OAuth applications to instead gain persistent and wholesale access to mailboxes within Microsoft 365, also referred to as “consent phishing.” This campaign involves sending a phishing email that contains a link to an OAuth⁵ request page for a malicious third-party application and urges the victim to grant it excessive or broad permissions to the users’ data. The image below illustrates an example of an unverified OAuth application requesting access to a users’ mailbox with the scope set to a broad set of permissions.

Unverified OAuth application requesting a broad set of permissions. Screenshot courtesy of Microsoft.

Microsoft has taken proactive measures to assist organizations from falling victim to consent phishing, including proactively flagging suspicious OAuth applications, disabling confirmed malicious applications from all Microsoft-wide services, and implementing anti-consent phishing features within Microsoft Defender suites (Defender for Office 365, Defender for Cloud Apps, etc.). However, despite these many protection mechanisms, threat actors will continue to identify avenues to evade Microsoft’s security solutions and phish for consent, so users must be vigilant in noticing red flags across such campaigns.

In addition to consent phishing, Stroz Friedberg has also investigated several compromises where the threat actor has also registered applications themselves to provide persistent access to the user’s mailbox or other data. This typically occurs after the threat actor has gained access to a mailbox in another way.

Service Desk Tickets

Nearly every organization has a dedicated team to assist with technical business needs or to troubleshoot user-end services. These groups serve as the organization’s primary point of contact for technical support. Distribution lists are a convenient tool for organizations of all sizes to reach a group of users, such as an IT Help Desk, through email.

Stroz Friedberg has observed a rise in phishing campaigns targeting distribution groups. The phish may result in the generation of a ticket in a platform such as Jira or Zendesk and originates from the organization’s legitimate service desk email address, offering the phish more legitimacy. Due to this additional layer of abstraction, the employee responding to the request may not recognize the typical red flags associated with phishing emails. These requests may even come in from outside the organization through a customer support desk, which expects to receive messages from unknown senders.

See the image below for an example of a Salesforce ticket containing a malicious phishing link, masked under the guise of a legitimate user request. The employee responding to this request must rely on the content of the ticket itself to discern whether a request is legitimate, in lieu of the traditional verification checks across senders and recipients.

Malicious phishing link submitted onto the Salesforce platform as a service request.

Changing Landscape

PhaaS (Phishing-As-A-Service)

With the advent of “as-a-service” (aaS) models in the cyber landscape, phishing is no exception—subscription models for phishing, or “phishing-as-a-service” (PhaaS), is on the rise and effectively provides anyone access to a phishing kit in exchange for a fee. Cybercriminals have now become service providers, marketing the tools and capabilities necessary to conduct mass phishing attacks to less experienced actors. PhaaS offers advanced functionalities such as generating high-quality phishing email templates, pre-filling victims’ email addresses into login prompts, spoofing company logos on the fraudulent login pages, among other sophisticated functions – combining these elements into a ready-to-deploy package, better known as “phishing kits.” All of these features help to allow threat actors to set up an entire campaign to target dozens to hundreds of victims with ease. The image below shows a breakdown of a basic phishing kit.

Stroz Friedberg’s Threat Intelligence team has observed phishing kits and PhaaS evolve throughout the last few years, including threat actors even offering hands-on support and curated operator panels with the sale of PhaaS. While phishing traditionally required a specific set of skills to carry out an attack, the emerging PhaaS business model has provided opportunities for even the most novice cybercriminals to conduct phishing campaigns.

As of August 2023, Stroz Friedberg’s Threat Intelligence team has observed several notable PhaaS threat actors in the wild selling phishing kits, each offering varying levels of services. EvilProxy, one of the most well-known PhaaS offerings, is a highly advanced, Microsoft 365-centric platform with its services ranging from $400 – $500 USD per month. On the other hand, smaller-scale threat actors may be interested in 16shop, a platform targeting payment services such as PayPal, CashApp, and American Express. Its services range between $60 – $150 USD per month, furthering the trend of the lowered barriers for less experienced and financially limited users to conduct phishing campaigns. Stroz Friedberg’s Threat Intelligence team has also observed PhaaS threat actors customizing its offerings to cater to the buyer’s needs. For instance, Dagon Panel is a PhaaS threat actor that exclusively targets banks and offers its services in a tiered system, ranging between $110 USD to $330 USD per month. With Dagon Panel‘s platform, more expensive services boast catered, hands-on support in the form of PhaaS operators, in addition to providing access to a mobile platform that will allow cybercriminals to monitor their campaigns.

Given the rise of such prolific threat actors and the lowered barrier of entry to threat actors looking to phish for credentials on a large scale, individuals and organizations should take discretion to protect themselves from increased volume of phishing emails facilitated by both phishing kits and the highly efficient “phishing-as-a-service” campaigns.

ChatGPT, Bard, and AI chatbots

In addition to the PhaaS offerings in the wild, the AI space has become a widely popular arena for cybercriminals to expand upon their techniques. Stroz Friedberg’s Threat Intelligence team has seen the proliferation of “jail broken” versions of specific AI chatbots with the intent to generate malware and other similarly malicious products. Upon its release in late 2022, OpenAI’s ChatGPT⁶ revolutionized the industry with its ability to create requested content nearly instantaneously. Unsurprisingly, chatbot AI tools such as ChatGPT and Google’s Bard also gave way for cybercriminals to generate phishing emails with few typos and near-perfect verbiage, sometimes even localizing phishing pages based on the victim’s native language. By weaponizing these chatbot AI tools, cybercriminals are broadening the reach of their campaigns, rendering preventative efforts to identify and contain phishing attacks more difficult.

While OpenAI, Google, and other similar AI siblings have made strides in preventing these issues, threat actors have identified loopholes⁷ to bypass these built-in security mechanisms. The image below illustrates Aon’s successful and unsuccessful attempt to generate a phishing email using ChatGPT.

Request to generate a phishing email that targets Microsoft using ChatGPT. Screenshots taken of ChatGPT version GPT-4.

As the barrier of entry for cybercrime lowers and phishing kits become more commonplace across cybercriminals’ toolkits, organizations should take precautionary measures to enhance their security across the tenant level and provide employees with little room to fall victim to a phishing attack.

Rise of -ishing (Smishing and Vishing)

Email platforms have traditionally provided threat actors with the most efficient and scalable avenue to lure their victims, offering all the services integrated in platforms such as Microsoft 365 and Google for cybercriminals to abuse. However, as our lives become more intertwined with mobile devices, the transition gave rise to new forms of social engineering attacks, such as SMS text message phishing (“smishing”) and voice call phishing (“vishing”). Smishing involves threat actors sending SMS text messages to trick victims into divulging sensitive information or to install malware on their mobile devices. Vishing is a similar attack pattern, except threat actors place phone calls to victims to obtain similar results, often conducted while fraudulently posing as a legitimate service or organization.

As detailed in Stroz Friedberg’s earlier case study article,⁸ smishing attacks have quickly evolved to evade commonplace protection tools such as multi-factor authentication due to the lack of mobile cybersecurity awareness across organizations. Even if organizations have protective measures such as Mobile Device Management (MDM) in place, it can be difficult for security professionals to determine the scope of phishing attacks conducted through messaging and voice platforms, as SMS text messages and mobile browser histories are typically not centrally reported. While organizations can take steps to better prevent, detect, and respond to such attacks, human efforts will always be the last line of defense.

Closing Thoughts

The barrier of entry for conducting phishing campaigns is lowered through the advent of phishing kits and PhaaS, providing avenues for cybercriminals to generate convincing and accurate phishing emails on a whim. Furthermore, reach of these campaigns has expanded to wider audiences through PhaaS and distribution groups, rendering large-scale attacks easier with just one phishing email. Because phishing continues to serve as one of the most commonly observed initial access mechanisms across industries, organizations should be vigilant in understanding and protecting their security infrastructure to minimize risks of successful attacks. Phishing attacks can vary widely across platforms in their methodology, execution, and techniques – however, they all are still attempts to achieve the same result: lure unsuspecting victims into divulging private and confidential information. While digital communication platforms continue to exist, organizations should continue to implement detection and defensive solutions, as threat actors will inevitably evolve their techniques to exploit those channels. There is no one solution to eliminate phishing attacks from our digital landscape— both organizations and individual users should be educated on these risks, vigilant against red flags, and equipped with the proper technology solutions that will assist with advanced phishing detection and protection.

To counter these evolving threats, consider the following recommendations at the organization and user levels:

Organization Recommendations include among others:

Company-wide employee training and awareness, including regular phishing simulations.
Implement threat detection and anti-phishing security solutions across email and applicable third-party platforms. Continuous monitoring and testing of IT infrastructures and security protocols.
Employ a web traffic filter to block traffic to known or suspected phishing sites.
Consider a third-party spam filter in addition to your regular email solution.
Implement standardized end-user verification procedures for Help Desk/Service Desk employees.
Educate employees on domain/name spoofing, application permissions and frameworks, as well as the risks associated with granting applications with unauthorized access.
Apply restrictive protections across employees’ consent settings to only grant access to applications that meet specific criteria (i.e. publisher verified) or enforce administrator consent for applications.
Implement proactive application governance policies for monitoring and detecting suspicious third-party application behaviors.
Routinely audit existing applications and consented permissions across the organization.

User Recommendations include among others:

Verify the legitimacy of the sender’s address for unsolicited/unexpected emails, text messages, and voice calls.
Verify unexpected attachments sent from both internal and external accounts and use discretion in requests involving clicking on questionable links and/or attachments.
Beware of typos and inconsistencies within email, SMS text message and/or voice call requests.
Beware of text messages or phone calls requesting personal information, especially if combined with a threat or sense of urgency.
Report all suspected scams to your organization’s IT resource as soon as possible.

Building — Support

Contact our cyber response teams for urgent breach assistance.

Contact Us

Author

Rachel Kang

DFIR

Contributors

Anthony Mussario

Intelligence Group

1 https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/q4-2022-threat-landscape-tech-manufacturing-ransomware-peaks
2 https://www.computerworld.com/article/2594166/-love-bug–virus-continues-to-wreak-havoc.html
3 https://www.trendmicro.com/vinfo/fr/security/news/cybercrime-and-digital-threats/google-and-facebook-fraudster-pleads-guilty-to-100-million-scam
4 https://www.proofpoint.com/us/resources/threat-reports/state-of-phish
5 OAuth (“open authorization”) is an open standard for authorization that allows third-party applications to access resources hosted by other applications without directly providing credentials.
6 ChatGPT is a large language model-based AI chatbot developed by OpenAI, capable of generating human-like text based on context and past conversations.
7 https://www.wired.com/story/ai-adversarial-attacks/
8 https://www.aon.com/cyber-solutions/case_studies/attacks-that-smish-phish-and-vish-their-way-around-mfa/

Cyber security services are offered by Stroz Friedberg Inc., its subsidiaries and affiliates. Stroz Friedberg is part of Aon’s Cyber Solutions which offers holistic cyber risk management, unsurpassed investigative skills, and proprietary technologies to help clients uncover and quantify cyber risks, protect critical assets, and recover from cyber incidents.

While care has been taken in the preparation of this material and some of the information contained within it has been obtained from sources that Stroz Friedberg believes to be reliable (including third-party sources), Stroz Friedberg does not warrant, represent, or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the article and accepts no liability for any loss incurred in any way whatsoever by any person or organization who may rely upon it. It is for informational purposes only. You should consult with your own professional advisors or IT specialists before implementing any recommendation or following the guidance provided herein. Further, we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. Further, this article has been compiled using information available to us up to 9/11/23.

The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.