Connect with us

Hi, what are you looking for?



US Government Releases Anti-Phishing Guidance

CISA, NSA, FBI, and MS-ISAC have released guidance and prevention recommendations on common phishing techniques.

The US cybersecurity agency CISA along with the NSA, FBI, and MS-ISAC have released a joint guide detailing commonly used phishing techniques and providing recommendations on how to mitigate them.

In phishing attacks, threat actors rely on social engineering to trick victims into revealing their credentials or into visiting a malicious website meant to deploy malware or steal their login information, which is then used to access enterprise networks or other resources.

In credential theft phishing, threat actors are known to impersonate trusted sources, such as supervisors or IT personnel, to send phishing emails and convince recipients to reveal their usernames and passwords.

Additionally, the attackers have been observed using mobile devices to send text messages on various chat platforms, and employing VoIP to spoof caller ID as part of their phishing attacks, the US government agencies note in the new guidance (PDF).

To reduce the risk of credential theft phishing, organizations are advised to implement multi-factor authentication (MFA), but to avoid weak forms, such as MFA without FIDO or PKI-based MFA enabled, push-notification MFA without number matching, and SMS and voice MFA.

Malware-based phishing also relies on the impersonation of a trusted source to lure the recipient into opening a malicious attachment or following a malicious link, to execute malware leading to initial access, information theft, system disruption or damage, or privilege escalation.

Threat actors have been observed using free, publicly available tools to send spear-phishing emails, sending malicious attachments with macro scripts, and delivering hyperlinks or malicious attachments over popular chat services.

To reduce the risk of a successful credential phishing attack, organizations should train their employees on social engineering, set firewall rules and enable email protections to prevent suspicious or malicious emails, use email and messaging monitoring, implement phishing-resistant MFA, prevent user redirection to malicious domains, block known malicious domains and IPs, restrict users’ administrative privileges, implement the principle of least privilege, and block macro and malware execution.

Advertisement. Scroll to continue reading.

Software manufacturers, CISA, NSA, FBI, and MS-ISA note, should incorporate secure-by-design and secure-by-default principles in their development processes, to mitigate the success of phishing attacks reaching their users.

The new guidance, the agencies note, is meant for network defenses at all organizations, but also includes a section dedicated to small- and medium-sized businesses, which may have limited resources to defend against phishing attacks.

Related: CISA Now Flagging Vulnerabilities, Misconfigurations Exploited by Ransomware

Related: CISA Unveils New HBOM Framework to Track Hardware Components

Related: NSA Publishes ICS/OT Intrusion Detection Signatures and Analytics

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Fraud & Identity Theft

Famed hacker Kevin Mitnick has died after a battle with pancreatic cancer.  At the time of his death, he was Chief Hacking Officer at...


Enterprise users have been warned that cybercriminals may be trying to phish their credentials by luring them with fake emails that appear to be...


The Single Most Important Part of Dealing with a Phishing Attack is Preparing for the Attack Before it Actually Happens.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...