Cybersecurity experts are sounding the alarm after a large-scale phishing campaign impacted over 80 organizations in many sectors and highlighted the tremendous increase in complexity and volume of cyber threats. This campaign impacted businesses and government agencies, healthcare organizations, and tech companies, and is reflective of how far phishing has come since being nothing more than email scams, to being a highly strategic and organized cybercrime endeavor.
In recent years, there has been a significant shift in the capabilities of attack actors to carry out phishing campaigns, as they continue to use artificial intelligence (AI), social engineering techniques, credential harvesting techniques, cloud-based attack infrastructure, and multi-layered malware deployment strategies to gain access to enterprise systems. The attack is considered one of the most sophisticated coordinated phishing operations in the recent past, according to security researchers.
The incident reinforces a disturbing fact about organizations around the world: despite making investments in advanced cybersecurity technologies, the human element is still one of the weakest links in the digital security supply chain. Cybercriminal enterprise groups will continually refine their tactics and techniques, leading to increasingly targeted, believable, and costly phishing attacks.
This article looks at the nature of the phishing campaign that affected over 80 organizations, discusses how the attackers conducted the attacks, identifies which industries were most affected, and examines the overall implications for global cybersecurity strategy.
The Modern Phishing Threat: Explained
Phishing is when someone tries to fraudulently get your sensitive information, like your username and passwords, financial information, or confidential business information, by pretending to be someone or something trusted. Phishing emails have historically been relatively easy to spot due to being poorly written and having generic, suspicious, or otherwise unclear content. However, phishing attacks have become much more sophisticated and will continue to develop at an unprecedented pace.
Today, attackers now conduct extensive reconnaissance of their targeted companies and employees to create very specific, highly personalized messages based on information they obtained through social media platforms, company websites, publicly available databases, and breached company databases. These types of phishing attacks are commonly referred to as ‘spear-phishing,’ and they have proven to be much more of a threat than ‘traditional’ mass phishing emails.
According to the reports, the most recent attack against over 80 organizations involved complex impersonation methods, such as creating false login portals, malicious links to cloud-based storage, and spoofing emails from corporate offices. Victims of these new types of attacks believed they were interacting with legitimate business applications and had promptly provided their login credentials or downloaded malware.
Phishing operations are increasingly mimicking only those platforms frequently used and accessed by their victims, such as Microsoft 365, Google Workspace, Slack, Dropbox, and the company’s internal human resource portal, due to their daily interaction with the services. This close familiarity with the platforms significantly increases the effectiveness of phishing operations.
Operating the Campaign
Security experts who investigated this incident discovered that the attackers utilized a multi-part phishing strategy, which targeted multiple phases of an attack, hoping to evade more traditional security methods using a forged internet-based structure within payee records. The phishing campaigns started out with professionally created emails that impersonated trusted business partners, company executives, or IT administrators. Almost every message contained some sort of urgency regarding either a password reset, invoice review, or documents that required approval or compliant account verification.
When the target clicked the embedded URL, they were taken to a site that was created to look very similar to legitimate login portals. These fake sites captured the usernames and passwords of the targeted individual, as well as any multi-factor authentication tokens.
Attackers also employed some sort of session hijacking methodology. That means that, in addition to capturing only passwords and user IDs, they were able to capture active sessions where a user was logged in, thereby circumventing multi-factor authentication (MFA) protections for a short period of time if they chose to do so. This technique is becoming increasingly popular with highly sophisticated actors utilizing a majority of MFA as their primary security feature.
Researchers also discovered that the phishing infrastructure used in these campaigns was highly sophisticated in terms of how the attackers were utilizing the domains for legitimate use. They often rotated through every domain frequently, as well as using encrypted communication to and from their servers. Then, it appears that cloud-based hosting was utilized in order to avoid detection. Security analysts believe that automation was likely responsible for scaling the amount of phishing activity seen in dozens of organizations at once.
Industries Affected
The phishing campaign is reported to have targeted numerous organizations across multiple sectors, showing that all industries are at risk from today’s cyber threats.
Banks and Financial
Banks and cryptosystems have traditionally been seen as the primary target for cybercriminals due to their access to sensitive customer records and financial data. Cybercriminals tend to target bank employees, as well as the payment process and internal communications, in order to commit either fraud or ransomware attacks.
According to the report, Kibana, several banking institutions were the victims of credential theft in attempts to compromise remote access systems and cloud-based collaborative tools.
Healthcare Providers
Due to the poor infrastructure, small IT budgets, and extremely valuable patient data, the healthcare sector is continuing to deal with significant cybersecurity issues. Phishing attacks against hospitals and care providers continue to disrupt hospital operations and endanger patient care, with many hospitals continuing to see phishing and spear-phishing attacks as a way to attack their workforce.
The report indicated that fake compliance notifications were used to target healthcare employees and hospitals as they relate to insurance claims and/or payment solutions.
Governmental Institutions
Governmental institutions are becoming a larger target as cybercriminals and state-sponsored groups look to gather intelligence, disrupt the activities of governmental agencies, or gain political power through their actions. Phishing continues to be one of the primary methods used to gain access to government agencies in the public sector.
Analysts suggest that as part of the phishing campaign, attempts were made to obtain administrator-level credentials and gain access to internal government systems.
Tech Companies
Due to the value associated with their intellectual property, access to cloud infrastructure, and sensitive credentials, technology companies make attractive targets for cybercriminals. They often target developers, IT admins, and engineering teams through phishing campaigns disguised as an update to software or technical documentation.
Multiple technology companies affected by the recent phishing campaign claim to have seen unauthorized login attempts associated with stolen employee credentials.
Reasons Phishing Attacks Are Still So Successful
Despite years of training to be aware of cybersecurity issues and improvements in email filtering technologies, phishing attacks remain one of the most successful methods of cyber attacks worldwide. Multiple factors explain the continued success of phishing attack campaigns.
Psychology of People
Phishing attacks take advantage of fundamental psychological human characteristics such as urgent need, trust, fear of loss, inquisitiveness, and authority. When under duress, in general, an employee is more likely to click on a suspicious hyperlink or open an attachment without conducting proper due diligence.
A phishing at full scale is typically executed with a high-volume set of emails, and with the intent of generating an emotional response within the recipient. For instance, messages regarding payroll deposits, account suspensions, compliance deadlines, and requests for action from executive leadership stimulate a sense of urgency and compel the employee to react quickly.
Remote and Hybrid Work Environments
The increase in remote work has resulted in more reliance on email, messaging services, and online collaborative technologies. Employees are exchanging data electronically substantially more now than in the past, providing a greater opportunity for cybercriminals to target them.
Work environments and social distancing have also reduced the ability to verify suspicious emails or communications directly with the employee’s peers or with the IT department.
The Threat Actors are More Sophisticated than Ever
In the past, most phishing campaigns were operated by amateur hackers. Now, though, organized cybercriminals work together as if they were running a legitimate business, having individuals responsible for different functions such as Development, Infrastructure, and Social Engineering.
Many phishing kits that are purchased on illegitimate forums offer tools such as Automated Credential Harvesting, CAPTCHA Bypass, and Ready-Made Impersonation Templates. This model of cybercrime, being ‘as a service’, has lowered the barriers of entry for all attackers around the world.
The Use of AI Content for Phishing
The use of artificial intelligence (AI) has significantly impacted the phishing industry. Today, phishers use AI tools to build grammatically functional emails, to translate them into multiple languages, and to personalize them at a larger scale than before.
This surge in the use of AI-generated phishing emails has made them far more believable due to their relative lack of spelling and formatting errors as compared to traditional forms of phishing.
Cybersecurity experts are concerned that advancements in voice cloning technology and deepfake video technology will significantly increase the success of future phishing campaigns.
The Importance of Credential Theft in Phishing Success
The primary goal of many phishing campaigns is credential theft, as stolen credentials give cybercriminals direct entry into a business’s systems.
By utilizing already valid login credentials, cybercriminals are able to move laterally through their networks, gain elevated privileges, steal sensitive business information, and deploy ransomware.
Security analysts indicate that cloud environments are now one of the most appealing targets because an assailant who obtains access to one account on Microsoft 365 or Google Workspace may access that person’s email, documents, contacts, calendar, and authentication systems. In addition, stolen credentials are often used by these individuals to conduct business email compromise (BEC) attacks— impersonating a high-level executive or vendor. As a result, they can carry out fraudulent financial transactions.
As evidenced by the recent large-scale phishing campaign directed against over 80 organizations, cybersecurity teams are feeling tremendous pressure in addressing the security of modern enterprise environments.
Security Operations Center (SOC) personnel receive millions of alert notifications every day, which generate enormous quantities of real and false alerts on a daily basis. Because large-scale phishing campaigns utilize quickly shifting technologies, it has become increasingly challenging to distinguish between genuine malicious activity and false alerts. If security teams are subjected to continued notification overload, this will delay response and ultimately contribute to the success of a successful attack.
As organizations continue moving toward more hybrid-cloud business, organizations and employees are now working in a mix of cloud, remote, mobile, and third-party environments, which means that this expanded attack surface has made it easier for phishing attackers to infiltrate and compromise user accounts.
While the shortage of cybersecurity talent is also an ongoing challenge to all businesses, companies are also struggling to recruit and develop the expertise needed to combat advanced-level phishing attacks. As a result, the lack of expertise within organizations is having a significant impact on the overall ability of organizations to have the cybersecurity personnel and processes in place needed to address the threats posed by advanced phishing attack vectors.
Evolving Evasion Techniques for Attackers
Modern-day attackers find creative and innovative ways to modify and adapt their tactical approaches in order to evade detection. Use of obfuscated URLs, QR code “quishing”, encrypted payloads, and methods for bypassing MFA are common examples of evolving tactics being utilized to challenge traditional defense approaches.
Existing security solutions that may have been sufficient to protect against phishing attacks in the past may no longer be able to provide the same level of protection to organizations as a result of the more sophisticated phishing operations currently being executed worldwide.
Best Practices for Mitigating Phishing Attacks
Although the sophistication of phishing attacks continues to increase at an alarming rate, organizations can still greatly reduce their overall risk through the use of a layered cybersecurity approach.
Ongoing Employee Security Awareness Training
Security awareness training is the primary method by which organizations can defend against phishing attacks. Organizations should actively engage their employees in ongoing education and training related to how to recognize potentially suspicious emails, how to verify requests made of them, and how to report possible threats.
In addition to ongoing training and education for their employees, organizations should conduct phishing simulation exercises to measure the level of preparedness of their employees and to identify potential vulnerabilities.
Utilization of Multi-Factor Authentication
Although attackers continue to attempt to bypass multi-factor authentication, it continues to provide a valuable additional level of protection. Organizations should deploy phishing-resistant methods of authenticating users (e.g., hardware security keys and passkeys) at every opportunity.
Zero Trust Security Architecture
Zero-Trust security architecture assumes that no user or device can be trusted automatically to be secure, nor is there ever an assumption that any user or device is secure simply because they access a resource on an internal network. Adopting this model limits the movement of attackers in a scenario where an attacker has compromised user credentials. Typically, Zero-Trust strategies leverage the concepts of continuous authentication, least-privilege access control, and device validation.
