Get The Latest Insights

By Jessica Ellis | June 16, 2022

Vishing reports in Q1 2022 increased nearly 550% over Q1 2021, according to Agari and PhishLabsQuarterly Threat Trends & Intelligence Report. While these Response-Based attacks have recently displayed stunning numbers, malicious emails as a whole are growing steadily, and represent the top online attack vector targeting corporate users. Malicious emails are delivered primarily in the form of Response-Based threats, Credential Theft, and Malware.

Every quarter, Agari and PhishLabs analyze hundreds of thousands of phishing and social media attacks targeting enterprises, their brands, and their employees. The data in this post is intelligence collected through the PhishLabs Suspicious Email Analysis solution.

Credential Theft

Credential Theft attacks contributed to nearly 60% of all attacks reported by corporate users in Q1. This represents a 6.9% increase in share from Q4, securing Credential Theft as the top threat to enterprises and widening the gap between it and other email attacks.

In Q1, 80% of all Credential Theft attacks contained a phishing link. Of those, half targeted corporate credentials associated with Microsoft Office 365 (O365) accounts. This is a 9.2% increase in share from Q4. O365 accounts are heavily targeted by bad actors because of the extensive range of access they provide to internal applications.

Docuphish, including malicious attachments, increased in share as well, representing 20% of all Credential Theft attacks in Q1.

Response-Based Attacks

In Q1, 419, also known as Advance Fee Fraud, attacks represented the top Response-Based threat-type, contributing to nearly 55% of volume. This threat-type consistently represents the lion’s share of Response-Based volume.

Hybrid Vishing campaigns represented 26.1% of total share of volume, with reports experiencing an all-time high in May. Vishing attacks have overtaken BEC as the second most reported threat since Q3, and have generated stunning numbers since Q1 of 2021. These two-pronged attacks combine falsely-branded emails and phone calls to trick victims into disclosing sensitive information such as personally identifiable information (PII) or account credentials. Vishing attacks delivered via email lack the typical indicators traditionally flagged by security teams, instead using telephone numbers. While unassuming, this tactic makes it particularly difficult to monitor for and detect these threats.

BEC scams contributed to nearly 13% of Response-Based attack volume, making it the third highest recorded threat. BEC attacks increased 1.6% in share from Q4 to Q1. Job Scams and Tech Support scams both declined in share, representing 6.7% and 0.2% of total attack volume, respectively.

Malware Delivery

In Q1, Qbot contributed to three-quarters of all reported malware delivery. Qbot volume has led payload attacks for two consecutive quarters, and has experienced a more than 15% increase in volume from Q4 to Q1.

Emotet experienced a 14.6% increase in activity in Q1, making it the second most reported payload variety responsible for attacks on corporate users. Emotet was reportedly dismantled in January 2021, reemerged in November, and has steadily increased to represent 16.7% of total malware volume in Q1.

BazaLoader was the third most reported payload, contributing to nearly 4% of attack volume after a 3.5% increase. Notably, Trickbot experienced an identical decline in share over the same period of time. BazaLoader and Trickbot operators have been linked to one another, and fluctuating attacks between varieties may be tied to the same criminal activity.

Other Payloads Reported in Q1:

  • LokiBot 2.3% (+2.3%)
  • VBS Downloader 1.2% (+0.2%)
  • AsyncRAT 0.8% (+0.4%)

Malicious emails reaching corporate inboxes continue to increase. In Q1, Credential Theft remained the top reported threat by volume, with O365 account credentials accounting for half of all malicious links. Response-Based attacks such as 419 and Vishing decreased in share, contributing to 37.5% of all reported threats. Although Qbot remained the leading payload within malware families for the second consecutive quarter, payload varieties continued to fluctuate dramatically. Malware volume overall experienced a decrease in Q1, but remains a significant danger to organizations, as it often only takes one click or interaction to potentially result in a crippling event for an enterprise.

Learn more about these threats and more in the Agari and PhishLabs Quarterly Threat Trends & Intelligence Report.