Email phishing remains one of the most dangerous vectors for organizational cyberattacks, as well as one of the most difficult to defend against, with deceptive links, brand impersonation and other phishing threats sharply on the rise.
A study published Tuesday by web services and security vendor Cloudflare, which analyzed 250 million malicious email messages sent between May 2022 and May 2023, found that deceptive links accounted for over a third of all detected threats — 35.6%. Scammers have become increasingly skilled at making their messages appear legitimate, appropriating graphics and formatting used by legitimate senders. The consequences of clicking a malicious link can range from credential harvesting, if a user enters them on an attacker-controlled landing page, remote code execution, and network compromise.
Moreover, the standard techniques used in phishing attacks are becoming more sophisticated, Cloudflare said. Attackers will set up malicious domains well in advance of sending phishing emails, to evade systems that alert when messages come from newly created domains, for instance. It’s also become relatively straightforward for attackers to bypass common email server security techniques, like sender policy frameworks, DomainKeys-identified mail, and domain-based message authentication reporting and conformance.
These techniques don’t work against spoofed domain names or look-alike emails that fool networks into thinking that an email is secure. And none of them inspect the content of the messages themselves, according to Cloudflare, meaning that they only check to see whether the sending domain is configured correctly.
Impersonating someone else’s identity was one of the fastest growing techniques, jumping from 3.9% of detected threats to 14.2% in the past year. The most-faked identity was Microsoft, which turned up in 9.9% of all such attacks. Rounding out the top 10 most-impersonated brands were the World Health Organization, Google, SpaceX, Salesforce, Apple, Amazon and T-Mobile, and MasterCard. Brand impersonation tended to concentrate around very well-recognized organizations, according to Cloudflare’s study, with about 60% of all such incidents involving the very largest brands in the world.
Finally, compromised emails at vendors and other large organizations can be particularly dangerous, because they don’t require malicious attachments or deceptive links — a bad actor can simply send something like a fake invoice from a legitimate source. Business email compromise attacks represented a fairly small percentage of all threats (0.5%), and Cloudflare said that this is partially due to their being identified early in the attack cycle.