Security Experts:

Email Attacks Using Cloud Services are Increasing

An analysis of more than 2.2 billion emails between April and June (Q2) 2019 exposes the current tactics, techniques and targets of contemporary attackers. 

FireEye's latest email threat update highlights three specific themes: attackers are following business in making greater use of the cloud; Microsoft is by far the most abused brand in phishing attacks; and, according to FireEye's VP & GM of email security, Michael Hulton, "Attackers follow the money, leading to a shakeup in the most targeted vertical industries."

In the last instance, financial services as a target has taken top spot, pushing entertainment/media/hospitality down to second position compared to Q1 2019. These two verticals alone account for almost half (26% and 23% respectively) of all detected malicious campaigns. Big risers in the top ten most attacked sectors include manufacturing (up from fifth to third) and Telecom (up from seventh to fifth). "Increased targeting of Insurance and Healthcare," says Hulton, "made both industries new additions to the top 10" (at eighth and tenth respectively).

Email attacks have increased over time. Eighty-six percent of them in Q2 can be described as 'malwareless', comprising, for example, impersonation attacks, CEO/BEC fraud, and spear-phishing. The remaining 14% contain malware. 

The BEC and CEO fraud variants have increased by 25% between Q1 and Q2. Unsurprisingly, given the work-based nature of these frauds, there is a higher frequency of them on workdays. Similarly, they peak on Thursdays and Fridays, and especially at end of a month (when targets are most likely to be harassed with work and especially financial deadlines).

It is expected that BEC attacks will be boosted in the future by the arrival of deepfake videos and audios. It was reported in September 2019 that the CEO of an unnamed UK-based energy firm was persuaded by the apparent voice of the CEO of the German parent company to wire a little under $250,000 to a Hungarian bank account. Although this was BEC vishing rather than BEC phishing, the combination of deepfake video with deepfake audio will undoubtedly increase. The delivery of these videos might vary, but the incidence of BEC attacks will grow.

Many phishing attempts seek to send the target to an URL hosting malicious content, with the ultimate aim of credential or credit card harvesting. These URL-based attacks increased by 167% between Q1 and Q2 2019. Within that figure, the increasing use of Microsoft- or 0365-based phishing attacks (up by 12%) means that the Microsoft brand is now used in 68% of all phishing detections.

The cloud is increasingly being used to host the malicious URLs. The Office 365 cloud-based service and the Microsoft Azure platform and services are favorites. Page hosting platforms such as wixsite(.)com3, 000webhostapp(.)com4 and others are used. File preview links are used to direct users to pages hosted on file sharing services such as OneDrive, Drive, Dropbox and Box.

FireEye describes five sophisticated methods by which the attackers evade detection in order to get their malicious URLs past defenses and in front of users. These include impersonation behind spoofed emails; increasing use of captcha-based evasions in both phishing and macro-based attacks; hosting malicious content that requires legitimate credentials for access on Sharepoint; including multiple URLs in an email to mask the malicious URL; and nesting email phishing techniques with email msg attachments that contain phishing URLs.

As malware detection improves with AI-based anti-virus, and the growing scarcity of new zero-day exploits, criminals are turning to email social engineering to by-pass technology defenses. A good example of the type of techniques described by FireEye was reported last week by Prevailion in its MasterMana disclosure. Here the attackers deliver a weaponized Microsoft document with a Bitly link to a public service (such as Pastebin or Blogspot).

The one thing that is clear from the FireEye statistics and the MasterMana example is that email-based attacks are growing and will continue to grow for the foreseeable future.

Related: Attackers Are Landing Email Inboxes Without the Need to Phish 

Related: Hackers Access Microsoft Email Services Accounts 

Related: Business Email Compromise Still Reigns 

Related: 2020 U.S. Presidential Candidates Vulnerable to Email Attacks

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.