The cyber security firm reported in its latest annual report that their researchers found more than 30.4 million phishing emails last year.
Threat actors are increasingly targeting trusted business platforms such as Dropbox, SharePoint, and QuickBooks in their phishing email campaigns and leveraging legitimate domains to bypass security measures, a new report released today has found. By embedding sender addresses or payload links within legitimate domains, attackers evade traditional detection methods and deceive unsuspecting users.
According to Darktrace’s Annual Threat Report 2024, the authors detected more than 30.4 million phishing emails, reinforcing phishing as the preferred attack technique.
Darktrace noted cybercriminals are exploiting third-party enterprise services, including Zoom Docs, HelloSign, Adobe, and Microsoft SharePoint. In 2024, 96% of phishing emails utilised existing domains rather than registering new ones, making them hard to detect.
Attackers were observed using redirects via legitimate services, such as Google, to deliver malicious payloads. In the case of the Dropbox attack, the email contained a link leading to a Dropbox-hosted PDF with an embedded malicious URL.
SEE: How business email compromise attacks emulate legitimate web services to lure clicks
Alternatively, threat actors abused hijacked email accounts, including those from Amazon Simple Email Service, belonging to business partners, vendors, and other trusted third-parties. The report’s authors say this “highlight(s) that identity continues to be an expensive problem across the estate and a persistent source of pain across enterprise and business networks.”
Among the phishing emails that Darktrace found:
The sophistication of phishing attempts continues to rise, with spear phishing — highly-targeted email attacks — making up 38% of cases. Meanwhile, 32% use novel social engineering techniques such as AI-generated text with linguistic complexity. This complexity might manifest as increased text volume, punctuation, or sentence length.
Darktrace collated insights from its more than 10,000 global customers for its Annual Threat Report 2024, leveraging self-learning AI, anomaly-based detection, and thorough analysis from its threat research team.
Another attack method involves initial network breaches via vulnerabilities in edge, perimeter or internet-facing devices, followed by living-off-the-land techniques or LOTL.This strategy exploits pre-installed, legitimate enterprise tools to execute malicious activities while avoiding detection.
Darktrace found that 40% of identified campaign activity in early 2024 involved the exploitation of internet-facing devices, including from Ivanti Connect Secure, Ivanti Policy Secure, Palo Alto Network, and Fortinet. Attackers favor LOTL techniques because they eliminate the need for custom malware and reduce the risk of triggering traditional security alerts.
On top of exploiting vulnerabilities in these edge devices, threat actors are increasingly using stolen credentials to log into remote network access solutions like VPNs for initial network access, before leveraging LOTL techniques.
Ransomware groups — including Akira, RansomHub, Black Basta, Fog, and Qilin, along with emerging actors Lynx — have increasingly been using legitimate enterprise software. Darktrace has observed these groups using:
SEE: Most Ransomware Attacks Occur When Security Staff Are Asleep, Study Finds
These groups are also frequently recruited for Ransomware-as-a-Service or Malware-as-a-Service, with the use of MaaS tools increasing by 17% from the first to the second half of 2024. Use of Remote Access Trojans, malware which allows an attacker to remotely control an infected device, also increased by 34% over the same period.
Fiona Jackson is a news writer who started her journalism career at SWNS press agency, later working at MailOnline, an advertising agency, and TechnologyAdvice. Her work spans human interest and consumer tech reporting, appearing in prominent media outlets such as TechHQ, The Independent, Daily Mail, and The Sun.
