- Data exfiltration tactics are shifting toward Russian domains
- Remote Access Trojans see a 59% rise in phishing emails
- Malicious emails now bypass secure gateways every 45 seconds
New research has found there is a significant increase in malicious email activity as well as a shift in attack strategies.
On average, at least one malicious email bypasses Secure Email Gateways (SEGs), such as Microsoft and Proofpoint, every 45 seconds, marking a notable rise from the previous year’s rate of one every 57 seconds, the Cofense Intelligence’s third-quarter Trends Report showed.
There is a sharp increase in the use of Remote Access Trojans (RATs) which allows attackers to gain unauthorized access to a victim’s system, often leading to data theft or further exploitation.
Rise in Remote Access Trojan (RAT) usage
Remcos RAT, a widely used tool among cybercriminals is a major culprit in the rise of RAT attacks. It allows remote control of infected systems which enables the attacker to exfiltrate data, deploy additional malware, and gain persistent access to compromised networks.
Open redirects as a technique in phishing campaigns are also gaining prominence as the report reveals a 627% increase in its use. These attacks exploit the functionality of legitimate websites to redirect users to malicious URLs, often masking the threat behind well-known and trusted domains.
TikTok and Google AMP are often used to carry out these attacks, taking advantage of their global reach and frequent use by unsuspecting individuals.
The use of malicious Office documents, especially those in .docx format, rose dramatically by nearly 600%. These documents often contain phishing links or QR codes that direct victims to harmful websites.
Microsoft Office documents remain a popular attack vector because of their widespread use in business environments, making them ideal for targeting organizations through spear-phishing campaigns.
Furthermore, there is a significant shift in data exfiltration tactics, with increased usage of .ru and .su top-level domains (TLDs). Domains using the .ru (Russia) and .su (Soviet Union) extensions saw usage spikes of more than fourfold and twelvefold, respectively, indicating cybercriminals are turning to less common and geographically associated domains to evade detection and make it harder for victims and security teams to track data theft activities.
Leave a comment