Phishing is term you will hear regardless of the industry that you work in. But what is phishing and what risk does it pose to you?
Phishing is a social engineering technique where scam emails or text messages are sent by attackers to trick users into revealing sensitive information or downloading malicious software. Campaigns can be targeted at a specific person/company (spearphishing), or generic and sent to masses of people. Regardless of the type of campaign, it is important to stay vigilant. It may only take one user clicking on a phishing email to cause a company-wide cyber incident. The 2024 UK Government cyber security breaches survey reported that 84% of breaches involved phishing, making it by far the most common attack vector.
Current Phishing Attacks/Campaigns
OneDrive Phishing Scam
An unknown threat actor has been targeting Microsoft OneDrive users worldwide. Their modus operandi is a phishing email containing a HTML file that when opened shows a fake OneDrive error message. To fix the supposed error the user is tricked into launching the attacker’s script that downloads further scripts used to exploit the target’s systems.
Cuckoo Spear targets Japanese companies
APT10 is a Chinese state-sponsored threat actor who focuses on attacking critical infrastructure sectors. They have been using phishing as a method to open backdoors in Japanese businesses. Targeted spearphishing emails were used to spread malware, tricking users into opening infected attachments. APT10 then maintained persistence in victim networks through living off the land (LOTL) attacks using scheduled tasks and Windows services to load further files. The current impacts of these attacks are currently unknown, but it is possible the attacks may be a part of a much larger campaign to bring down critical infrastructure in Japan.
Mass malware spam campaign
At the beginning of 2024 a large-scale spam campaign was identified by researchers, when emails containing a ZIP file embedded with JavaScript files was sent to organisations in the EU and US. The JavaScript deployed the StrelaStealer malware to victim devices. This malware actively steals email credentials from Outlook and Thunderbird email clients. Attackers can then use the stolen credentials in other attacks or for further information theft from the email clients.
Protecting Yourself Against Phishing
Education and Awareness
As an individual, the main way to reduce the risk of phishing attacks is to educate yourself on common indicators:
- inconsistent email addresses and domain names,
- suspicious attachments,
- a sense of urgency.
If you identify a phishing email, then reporting this to your company or the email service can help protect others from it.
Employers should provide phishing training to employees and require it be renewed regularly to ensure all employees are aware of the latest campaigns and how to identify them. Companies should also use simulated phishing campaigns, newsletters and posters to keep employees vigilant and aware.
Technical Defences
Even with educated and aware employees there are times when they fail to detect a phishing email. Technical defences should be used to attempt to stop malicious emails reaching employees in the first instance. Email filtering can achieve this by blocking emails from suspicious addresses or containing suspicious content and attachments. Anti-spoofing measures can also be used to stop attackers from impersonating company email addresses, and anti-malware software can prevent malware embedded in emails or websites from executing.
Monitoring and Reporting
In the event a phishing email does reach users, then a reporting system (that employees are trained to use) needs to be in place. Once reported, the IT team can then remove the email from the company systems to ensure no other users are exposed to it. More generic logging capabilities can also detect when accounts have been compromised via phishing, for example alerts for login attempts from unusual locations can flag a compromised account. Cyber threat intelligence (CTI) can be employed to keep you aware of current phishing campaigns and allow for continuous improvement of phishing defences to react to the ever-evolving threat landscape.