In their phishing email campaigns and using reputable domains to pass security measures, threat actors are increasingly using trusted organization platforms like Dropbox, SharePoint, and QuickBooks, according to a new report released today. By hiding sender addresses or cargo links within reasonable domains, hackers evade conventional detection techniques and deceive innocent users.
According to Darktrace’s Annual Threat Report 2024, the writers detected more than 30.4 million hacking emails, reinforcing hacking as the desired assault method.
Reputable business services were used in the majority of phishing schemes in 2024.
Darktrace noted fraudsters are exploiting third-party business services, including Zoom Docs, HelloSign, Adobe, and Microsoft SharePoint. In 2024, phishing emails were largely untraceable because 96 % of them were created by existing regions rather than by registering new ones.
Intruders were observed using redirect via genuine services, such as Google, to deliver destructive payloads. The email that contained the Dropbox attack had a link that led to a destructive URL embedded in the embedded PDF.
Notice: Â How commercial email compromise attempts imitate legitimate websites to entice clicks
Additionally, threat actors abused seized email addresses, including those from Amazon Simple Email Service, belonging to business associates, vendors, and other trusted third-parties. This “highlights” is a “highlight ( s ) that identity continues to be an expensive problem across the estate and a persistent source of pain across enterprise and business networks,” according to the report’s authors.
Phishing attacks wave with AI-generated methods
Among the hacking emails that Darktrace discovered:
- 2.7 million contained stage harmful loads.
- More than 940, 000 contained destructive QR code.
The sophistication of phishing attempts continues to rise, with , spear phishing , — highly-targeted email attacks — making up 38 % of cases. However, 32 % employ novel social engineering techniques for as , AI-generated text , with verbal difficulty. This complexity may express as increased word volume, punctuation, or word length.
Darktrace collated insight from its more than 10, 000 worldwide customers for its , Annual Threat Report 2024, leveraging self-learning AI, anomaly-based recognition, and thorough analysis from its threat research group.
Living-off-the-land methods: A growing security risk
Another attack process involves first community breaches via vulnerabilities in border, perimeter or internet-facing devices, followed by living-off-the-land techniques or LOTL. This strategy exploits pre-installed, legitimate enterprise tools to execute malicious activities while avoiding detection.
Darktrace found that 40 % of identified campaign activity in early 2024 involved the exploitation of internet-facing devices, including from Ivanti Connect Secure, Ivanti Policy Secure, Palo Alto Network, and Fortinet. Attackers favor LOTL strategies because they cut down on the need for proprietary malware and lower the chance of triggering traditional security alerts.
Threat actors are increasingly using stolen credentials to log into remote network access solutions like VPNs for initial network access before utilizing LOTL techniques to exploit vulnerabilities in these edge devices.
Ransomware organizations use secret techniques on enterprise tools.
Ransomware groups — including Akira, RansomHub,  , Black Basta, Fog, and Qilin, along with emerging actors Lynx — have increasingly been using legitimate enterprise software. Using: Darktrace, Darktrace has observed these groups:
- AnyDesk and Atera to mask command-and-control communications.
- Data exfiltration to cloud storage services.
- File-transfer technology for rapid exploitation and double extortion.
SEE:  , Most Ransomware Attacks Occur When Security Staff Are Asleep, Study Finds
These groups are also frequently recruited for Ransomware-as-a-Service or Malware-as-a-Service, with the use of MaaS tools increasing by 17 % from the first to the second half of 2024. The use of Remote Access Trojans, a malicious program that enables an attacker to control an infected device remotely, increased by 34 % over the same time.
