By John LaCour | August 26, 2021
Every quarter, PhishLabs analyzes and mitigates hundreds of thousands of phishing and social media attacks targeting enterprises. In this post, we discuss the top threats reaching corporate inboxes based on incidents detected and mitigated with our Suspicious Email Analysis solution.
Credential theft continues to represent the largest share of threats targeting corporate inboxes. Reports of credential theft have increased slightly from the beginning of the year, contributing to 63.5% of attacks.
Credential theft attacks rely heavily on social engineering to prompt users to interact with a malicious attachment or a link that will lead the victim to a phishing webpage with the intent to harvest credentials. Twenty-two percent of credential theft attacks contain malicious attachments, demonstrating a 6% increase from Q1. More than 75% of attacks contained a phishing link.
Office 365 (O365) accounts can provide attackers with access to a broad range of internal applications and data. Notably, O365 attacks represented 51% of credential theft phish, making it the top corporate email threat. This demonstrates 7.5% in growth from the beginning of the year and draws attention to the importance threat actors place on accounts that offer access to multiple applications.
PhishLabs previously reported that over a two-year period, O365 phish represented more than half of all attacks reported by enterprises. The consistently high volume is a clear indicator that security teams should make every effort to proactively detect and mitigate O365 phish.
Response-based threats such as Business Email Compromise (BEC) and 419 (Advance-Fee) attacks continue to increase, contributing to 33% of credential theft reports. 419 scams represented more than half of response-based threats, despite experiencing a decrease in volume from Q1.
BEC attacks targeting corporate users continue to grow, accounting for more than a quarter of response-based threat volume. The increase in BEC scams should be noted by security teams, as losses attributed to this type of scam can be staggering. Last year, victims of BEC reported stolen funds totaling billions of dollars.
Notably, vishing attacks have more than doubled, contributing to 15.9% of reports. The increase in vishing supports the fact that threat actors continue to use a wide-variety of attack methods to manipulate corporate users.
The top reported payloads continue to fluctuate, with multiple malware families observed in corporate inboxes. Malware delivery is slightly down, representing 3.5% of threats reported in corporate inboxes.
The decrease in malware incidents can be attributed to multiple factors, including the dismantling or disappearance of associated ransomware families. In Q2, Qbot, also known as Qakbot, was reported most, contributing to more than half of all cases. The surge in Qbot supports evidence that despite the rise and fall of ransomware families, threat actors have access to a wide-variety of malware tools that can be used to gain initial access to corporate networks.
ZLoader, FormBook, IcedID, and AsyncRAT rounded out the top five families. Together, these five families accounted for more than 80% of malware payloads found in corporate inboxes.
Corporate credentials continue to be highly-targeted by threat actors. Credential theft contributes to the largest share of attacks by volume, with O365 accounts clearly-favored as targets. Response-based threats such as 419 and BEC continued to evade security controls at a high rate, indicating social engineering remains a preferred and effective method of attack. Finally, top malware families continue to fluctuate based on ransomware activity, reaching user inboxes the least among threat types but remaining a very real security risk to enterprises.
Learn more about these threats in our Quarterly Threat Trends & Intelligence Report.