1、2023 ANNUAL STATE of EMAIL SECURITY REPORTISSUED MARCH 20232023 Cofense Annual State of Email Security Report 1CONTENTS2023 Cofense Annual S�������������tate of Email Security Report 1Letter from the CISO .2 SECTION 1 Executive Summary .3 Top Attack Vector in 2022:Credential Phishing .5 Emotet&Qakbot Remain the
2、Top Malware Families �����to Watch .5 BEC Continues to be One of the Top Cybercrimes for the 8th Year���� in a Row Related to Financial Losses .7SuccessfullyBypassingTwo-FactorAuthorization(2FA)toGainAccesstoAccounts Payroll Diversion Attacks Still Flying Under the Radar Law Enforcements Takedown of Cybercri
3、me Scamming the ScammersAttackersStillRequestGiftCardsin2022 Web3 Technologies Used in Phishing Campaigns Increased 341%.9 Telegram Bots as Exfiltration Destinations Increased 800%.9 SECTION 2 Phish S�����wimming in Murky Waters .10 Downstream Impacts,Ransomware .10Big Breaches .10World Events .11Blockch
4、ain,Cryptocurrency and NFT Phishing .11Energy Sector(Critical Infrastructure)on High Alert .13Malicious HT������ML Attachments .13Adobe is the T Domain Abused to Deliver Phishing Emails .14Top Malicious Attachment Types R������eaching Inboxes .15EmotetPhishingEmailsExploit2022TaxSeason,SpoofingIRS Return of Emo
5、tet Phishing Emails Malware Foothold:QakBot Noteworthy Mentions .17PhishingAttacksSupportedbyIllicitMarketplaces“PhishingasaService(PaaS)”ContiLeaksDemonstratedImportanceofPhishinginRansomwareOperations Whaling in Bulk Industry ��������Overview .19 SECTION 3 So Now What?.21 H�������ow to Enhance Your Email Securit
6、y .21 Checklist:Protect Your Organization from Top������� Threats .23 BEC/Vendor Email Compromise Credential Phishing Attachments Malware 23CONCLUSION .24APPENDIX .25 List of Figures .252023 Cofense Annual State of Email Security Report 2LETTER FROM THE CISOAs I transition from behind the scenes of this re
7、port,I wanted to take a moment to share some of my thoughts on what weve seen over the past year.Taking on the role of CISO has added some additional insight as I stepped back into the role of practitione�����r again.Now that I review our cyber insurance and 3rd party questionnaires,it has given me persp
8、ective into why organizations have started asking more questions about simulation metrics.Something that hasnt changed over the last year,your SOC still needs HELP!As teams continue to deal with workforce shortages,remote���� work and burnout,optimizing processes and automation are even more critical to
9、 defend the perimeter.As Ive spent time with incident responders a�����nd attended conferences to hear from practitioners,its clear the community demands products and solutions to integrate together rather than stand-alone products.Its this reason that weve continued to enhance our APIs,while also expand
10、ing our integration partnerships,allowing you to quickly identify threats hitting the inbox and moving those IOCs to your other controls to defend against the adversary quickly.Have you followe�������d the trend of adding a Cyber Threat Intelligence(CTI)team?We continue to hear from customers that are buil
11、ding out teams to become more proactive in defending against the threat landscape.But adding more threat feeds isnt productive or������ helping your SOC automation.This is why we have stood firm on our“human-vetted”intelligence,to ensure you can depend on adding IOCs to your automation.Its more critical t
12、han ever to ensure your intelligence feeds are actionable intelligence allowing you to reduce noise and provide context to those alerts.As I think about the con�����versations Ive had with SOC teams,its become clear ������they have a love-hate relationship with the reporting of suspicious emails versus employe
13、es ju���st deleting them.Our intelligence is enriched because users report suspicious emails.The SOC can benefit from those suspicious messages being reported by extracting the IOCs and taking action to mitigate a threat.However,the button that is often used is the“delete”button by the u�������ser who is just
14、 flat-out annoyed with“spam”and wants it to stop.As I scanned through the �����simulation campaigns sent over the year,it suddenly occurred to me why users struggle with whether or not to report an email.Its because youre sending the wrong types of simulat������ions,coupled with punitive programs putting addit
15、ional pressure on the ������user to just report the email.Simulate the threats making it to the inbox NOT the topics already blocked by your spam filters,aka your Secure Email Gateway.Im looking at you“eCard/Vale�����ntines”campaign fans.As you read this report,youll find it difficult to identify the simulatio
16、n section as weve reported in years past.That was intentional.For years weve pushed our security awareness teams to align their programs to“�������real phish.”For the past few years,weve only added templates based on real phish weve observed.That too is intentional.But what you find are some highlights of
17、what we observed over the year and how you can adjust your Security Awar�������������eness and Incident Response programs to better defend against the phishing threats making it to your users inboxes.It has been an exciting year talking to customers who have experienced the impact of the network effect.Tonia Dud
18、ley VP,CISO at Cofense 2023 Cofense Annual State of Email Security Report 2Its more critical than ever to ensure your intelligence feeds are a�������ctionable intelligence allowing you to reduce noise and provide context to those alerts.Tonia Dudley VP,CISO at CofenseSECTION 12023 C�������ofense Annual State of E
19、mail Security Report 3 SECTION 1EXECUTIVE SUMMARYIn 2022,cybersecurity threats increased e������xponentially and its no surprise the vast majority involved phishing.As threats increase in frequency,intensity,and sophistication,the need for rapid and actionable intelligence has never been greater.As a resu
20、lt of this increased frequency,Cofense Intelligence saw 569%more malicious p����hishing emails,had a 478%increase in the number of credential phishing related Active Threat Reports published and identified a 44%increase in malware.Based on this data,we conclude that credential phishing was t��������he cyber thr
21、eat of choice in 2022.FIGURE 1:TOP THEMES IN ACTIVE THREAT REPORTSFinanceNotification/OtherAccount/Password AlertDocumentShippingVoicemailOrderResponseBenefitsFax37%36%8%6%3%2%2%1%1%5%Due to this increase in threat activity,we were abl�����e to detect,auto-quarantine,and remove a record-setting number of
22、 malicious emails and phishing c������ampaigns that were missed by Secure Email Gateways(SEGs)as seen in Figure 2.FIGURE 2:COFENSE AUTO-QUARANTINE SUMMARYMalicious Emails Detected Using Cofense Intelligence2021 Q12021 Q22021 Q32021 Q42022 Q12022 Q22022 Q32022 Q4150,000100,00050,0000Unique Campaigns Identi
23、fied255����,863Total Malicious Emails Identified480,754Cofense Intelligence saw 569%more malicious phishing emails,had a 478%increase in the number of credential phishing related Active Threat Reports published and identified a 44%increase in malware.Thanks to the power of Cofense Intelligence,we saw a
24、626%YoY increase in emails detected and auto-quar������antined from customer inboxes worldwide.SECTION 12023 Cofense Annual State of Email Security Report 4 Credentia������l Phishing is the top attack vector with a 478%increase in malicious emails identified Emotet&QakBot remain the top malware families to watc
25、h BEC cont�����inues to be one of the top cybercrimes for 8th year in a row Web3 technologies used in phishing campaigns increased 341%Telegram bots as exfiltration destinations increased 800%The cybersecurity landsca������pe is always evolving,so it is imperative to stay on top of the latest trends and tactic
26、s.To learn more about what o�������ur intelligence trends revealed,heres a more in-depth look at what we discovered last year.Phishing is a major threat because it is so simple.Often,we hear of large,destructive attacks that sound extremely advanced,beyond the comprehen����sion of security-minded individuals.I
27、t is important to remember the initial access is often acquired well before the incident occurs and may come from simple phishing campaigns that have no apparent connection to any advanced persistent th������reat group.In the aftermath,as these sophisticated attacks make the news,organizations should not
28、become so consumed with searching for specific indicators of compromise(IOCs)or malware that they ignore the emerging phishing threats.As threats increase in frequency and intensity,it is not only critical,but a fundamental necessity to protect and defend ������against daily emerging phishing attacks.Over
29、 the past decade,we have built an unrivaled standard of phishing expertise.Our goal is to contribute the phishing expertise necessa������ry to turn humans around the world i�����nto the strongest link in the security chain,and to translate the resulting human efforts into machine learning,phishing threat intel
30、ligence,and automated action(s).With our gl�����obal network of 35+million human reporters,we crowdsource millions of suspicious enterprise emails that are processed,enriched,and analyzed by our unique intel�������ligence insights.At times,even removing threats within seconds before users have the chance to int
31、eract with them.CISCOFORTINETGOOGLEMIMECASTMICROSOFTPROOFPOINTSYMANTECCredential PhishingBECMalwareThreat Unavailable8%8%8%23%5%7%8%2%5%2%1%11%2%3%26%31%19%16%21%21%29%64%56%71%60%63%70�����%60%FIGURE 3:PERCENTAGE OF MALICIOUS EMAILS MISSED BY SEG IN 2022Last year,we provided analysis on phishing threats
32、 with a 99.996%accuracy rate.Through our global network effect,we can identify trends and����� tactics and provide an understanding of what the phishing landscape will look like as we move forward in 2023.Our crowdsourced methodology provides an unparalleled aperture into the malicious emails that are re
33、aching enterprise inboxes.How did your SEG stack up?These are real threats detected by our Phishing Defense Center(PDC)that are bypassing your current email controls.BASED ON OUR INTELLIGENCE,THE TOP FIVE HIGHLIGHTS OF THE EMAIL SECURITY LANDSCAPE ARE:SECTIO������N 12023 Cofense Annual State of Email Secu
34、rity Report 5TOP FIVE Top Attack Vector in 2022:Credential PhishingIt was no surprise to see credential phish still rank as the leading threats seen by our Phishing Defense Center(PDC)customers.As one of the several collec�����tion inputs to Cofense Intelligence,its also no surprise to see an increase of
35、 478%of credential phishing-related Active Threat Reports published.This threat category still plays a significant role in the ransomware attack cha�����in,as well as BEC.Wait,BEC?How does that connect?When a user falls susceptible to a credential phish,while the password may h��������ave been reset,the threat a
36、ctor remains persist�����ent in the inbox by adding auto-forwar���ding rules for keywords related to financial transactions(i.e.invoice,purchase order,quote).These emails are then,in turn,used to target downstream organizations with BEC/Vendor Email Compromise threats.FIGURE 4:MALICIOUS THREATS OBSERVED BY
37、PDCBECCredential PhishingMalwareThreat Unavailable2021202210%3%61%26%7%3%67%23%TOP FIVE Emotet&QakBot Remain the Top Malware Families to WatchThroughout 2022,�����we analyzed and assessed top malware families seen in Figure 5.However,in this report,we wanted to provide a quick reference guide for underst
38、anding the malware families that made up the highest volume of phishing campaigns disseminated in 2022.There are several characteristics that can make a malware f�������amily more����� appealing to threat actors,such as the malware features,cost,and complexity.In combination,these properties determine how well
��������39、malware aligns to a threat actors agenda �����for a phishing campaign.Figure 5 shows the top 5 malware families in 2022.As one of the several collection inputs to Cofense Intelligence,its also no surprise to see an increase of 478%of credential phishing-related Active Threat Reports published.SECTION 120
40、23 Cofense Annual������� State of Email Security Report 6FIGURE 5:TOP 5 MALWARE FAMIL������IES IN 202201/20220050060002/202203/202204/202205/202206/202207/202208/202209/202210/202211/202212/2022EmotetFormBookAgent TeslaSnakeQakBot#OF MALWARE THREATS IDENTIFIEDThe continued position of Emotet(and conse
41、quently malware loaders,which are often the first stage of a compromise)at the top of the list is a testament to its outscaling of all other malware-delivery camp�����aigns.There was an overall increase in volume for keyloggers����� and Remote Access Trojans(RATs).Information stealers saw the largest increase
42、 with malware families like FormBook being high commodities in the phishing threat landscape.We continued to watch Snake Keylogger in 2022,which is a staple in the phishing threat landscape as it is a keylogger written in.NET.It can monitor a������ users keystrokes,scan applications to steal saved credent
43、ials,and exfiltrate this data through a variety of protocols.Although it is not as popular as other malware families such as FormBook or Agent T����esla,it did maint��������ain a significant presence throughout 2022,and its usage continues to increase.This banking trojan malware type passed RATs due to a high v
44、olume of QakBot phishing emails.Despite not ha��������ving as high of volume as others in the Top 5,Qakbot remains at the top of our list of families to watch since it has been far more successful at bypassing SEGs and reaching inboxes.FIGURE 6:MALWARE CHARACTERI������STICSMALWARE FAMILYINFORMATIONKEYLOGGINGREMOT
45、E ACCESSLOADER CAPABILITIESBACKDOOR CONTROLSEmotet/GeodoFormBookAgent TeslaSnakeQakBotWant more detailed insights on Emotet and QakBot?Make sure you read the strategic analysis starting on page 15!Figure 6 shows the most common characteristics of������ each malwar������e family and the capabilities that we obse
46、rved in phishing campaigns of malicio�������us emails that would hav������e reached inboxes.SECTION 12023 Cofense Annual State of Email Security Report 7TOP FIVE BEC Continues to be One of the Top Cybercrimes for the 8th Year in a Row Related to Financial LossesIn 2022,Business Email Compromise(BEC)continued to
47、be one of the leading cybercrimes related to financial losses for the 8th year in a row.With BEC responsible for billions in global losses with victims in 90%of the world,its no wonder scammers outside ������of Nigeria have started taking notice of the successes of BEC.While SEGs have evolved from spam fi
48、lters to now being used to detect and potentia��������lly block malware,malicious links,and ransomware attacks,many fail at detecting conversational-based phishing attacks such as this.Over the last year,BEC actors attacked with many different techniques,including requesting checks,wire transfers,payroll di
49、versions,and gift cards.While many of these techniques are nothing new,we have observed a continued blending of tactics to make detection and mitigation even more �����difficult for organizations.By using and blending these attacks,threat actors continue to bypass SEGs to manipulate users into sending bi
50、llions of dollars year after ye�����ar.Successfully Bypassing Two-Factor Authentication(2FA)to Gain Access to Accounts By putting the“compromise”in BEC,threat actors continued to use credential phishing attacks to gain access to organization inboxes to perform man-in-the-mailbox(MiTMbox)attacks.Once an a
51、ttacker gains access to an organizations email account,they will routinely create em����ail forward rules to monitor all traffic coming in and out of the account.In some cases,they will create rules that include the words“purchase order,”“invoic�������e,”or other financially based transactions between clients.
52、Once the threat actors identify an invoice or opportunity to re-route the transaction,the threat actors pounce,replying����� to the known and trusted email thread with new information.In some cases,this will come from a look-alike domain,and in other cases this will come from the compromised infrastructu
53、re itself.By modifying and forging invoices with new banking and account numbers,scammers are able to re-route business transactions and invoices to accounts under their control.Unfortunately,many of these attacks are caught too late for a successfu���l financial reversal.One of the best ways to mitiga
54、te against these attacks is to use two-factor authentication(2FA),as the requirement for a second piece of information makes it virtually impossible to log into an account without the second piece of information.However,i�������n 2022,M������icrosoft published a technique used by scammers called adversary-in-the
55、-middle(AiTM)that successfully bypasses 2FA authentication.Through hijacking the session cookie,BEC attackers are able to gain access to the users account.Payroll Diversion Atta����cks Still Flying Under the Radar“Are you in the office?I need to update my direct deposit.Can I provide a voided check?”is
56、still a techniqu������e used by BEC actors today.Dubbed payroll diversion scams,threat actors target Human Resources departments that have financial authority to change the financial records of employees.While attackers made a shift in mid 2014 to target enterprises and corporations,these attacks largely
57、go unreported due to the same stigmas and lower losses as gift card scams.We continued to trac������k wave after wave of payroll diversion attacks through our Cofense Reporter submissions from customers,meaning these attacks are still successfully bypassing email gateways.Are you in the office?I need to u
58、pdate my direct deposit.Can I provide a voided check?BEC THREA�������T TECHNIQUESECTION 12023 Cofense Annual State of Email Security R�������eport 8FIGURE 7:BEC DOMAINSFreeISPMobileSpoof81%14%3%2%Law Enforcements Takedown of CybercrimeAlthough BEC,ransomware,and other cybercrime operations carried on through 2022
59、,our research indicated that threat actors felt pressure from the arrests as law enforcement agencies worldwide made significant strides combating cyber threat actors.Authoriti�������es arrested individuals suspected of involvement in the LockBit ransomware and JabberZeus banking trojan operations.The FBI
60、infiltrated the Hive ransomware group starting in July,ultimately leading to the takedown of������� the entire operation in January 2023.Authori�������ties in several countries arrested dozens of suspected BEC perpetrators,as well.Ransomware attacks and payouts both trended downward compared to 2021.If authoritie
61、s continue to make high-impact ar����rests,we expect to see more downward pressure on phishing threats,as actors will be forced to adapt,harden their operations against intelligence efforts and/or decentralize.SCAMMING THE SCAMMERSTo dig deeper into this conversational tactic,we spent some time interact
62、ing with real emails reported by users.In phases one and two of a multi-part study into the criminal ecosystem of gift card attacks,we responded to BEC phishing attacks to gauge the level of interaction from the scammers.�������During �����this phase of the research,we wanted to see how many responses it took t
63、o identify the cash out method for BEC attacks.In phase one where we simply analyzed the delivery email,6%of the analyzed emails presented themes of gift cards in the initial phish.In phase two,we respo�������nded to the scammers to try and identify the phishing theme.In 22%of these cases,we w�������ere able to i
64、dentify gift card requests from the scammers.The significant jump signifies that for most gift card BEC attacks,scammers are looking for a response prior to asking for gift cards.Attackers St������ill Request Gift Cards in 2022 In part three of our gift card study,we launched a successful counter-operatio
65、n against BEC actors to better understand the gift card ecosystem plaguing ����organizations a������nd small businesses.Just like many types of BEC attacks,scammers pretend to be someone in the organization with authority,asking for a quick or urgent task to be done.Once the user confirms,theyre instructed to
66、 go to a retail store to purchase gift cards in diff�����erent denominations.In some cases,attackers request the users������ phone numbers to move the conversation outside of an organizations security structure and detection.But what happens when scammers ask for gift cards?And more importantly,what happens wh
67、en they receive gift cards?We took$500 dollars of gift cards and gave them to the scammers.We wanted to see what the conversations looked like,how quickly they were cashed out,and what insights we could gather from��� the research.Here is what we learned.For the research,we used$25 worth of gift cards
68、in each phish.While scammers typically asked for$500 or$1,000 dollars in gift cards,our researchers true intent was to get cards in larger denominations,such as$10��������0.It was surprisingly difficult to get the scammers to accept a$25 gift card as it broke their script and thought process for what was no
69、rmally received,causing them to question the legitimacy of the funds soon to be stolen.Secondly,once the cards were sent the entire workflow was 24 hours or less for the card to be stolen,sold,then re-laundered into purchasing other goods online.We identified toy stores,greetin������g card stores,Amazon,�������a
70、nd several other strange purchases once the cards were sold.What do you������ get when you analyze 10,000 email accounts used to send over 25,000 emails?You get visibility into which type of email accounts used by threat actors go undetected.Also noteworthy,we saw that nine different customers received an
71、 email from the same email address,which is clearly a spoofed domain.SECTION 12023 Cofense Annual State of Email Security Report 9TOP FIVE Web3 Technologies Used in Phis����hing Campaigns Increased 341%Its important for threat actors to carefully craft links or care��������fully select hosts for links in order
72、to bypass SEGs.The malicious use of Web3 technologies as a link-crafting tool for phishing campaigns exploded in 2022.“Web3”refers to a set of technologies intended to decentralize common internet and computing activity.Users of Web3 protocols host content collaboratively,which removes the need for�������
73、traditional hosting servers and makes censorship �������much more difficult.A fast-growing number of phishing campaigns used Web3 platforms to host malicious content throughout 2022,as evidenced by our strategic �������analysis,“Abuse of Web3 Technology for Evasive Phishing Grows Massively in 2022”.Overall,in 202
74、2 there was a 341%increase in Web3 Technologies used in phishing campaigns.Most browsers still require a“gateway”server to interact with Web3-������hosted content,which gives organizations a chance to dete����ct and block it.However,the technology will likely remain a useful weapon in threat actors arsenals f
75、or the foreseeable future.TOP FIVE Telegram������ Bots as Exfiltration Destinations Increased 800%Among phishing emails reaching inboxes over the course of 2022,the utilization of Telegram bots as exfiltration destinations for phished information increased gradually but significantly,resulting in a year-o
76、ver-year increase of mo�����re than 800%between 2021 and 2022.The increase is largely associated with the now popular tactic of using HTML attachments as deliv�������ery mechanisms in credential phishing.While Telegram bots being used by threat actors to exfiltrate information is not new,it has not been commonl
77、y known for its use in credential phishing.Telegram bots have become a popular choi������ce for threat actors,since they are a low-cost/free,single-pane-of-glass solution.Threat actors appreciate the ease of setting up bots in a private or group chat,the bots compatibility with a wide range of programming
78、 languages,and ease of integrations into malicious mediums such as malware or credential phishing kits.���Coupling the ease of Telegram bot setup and use with the popular and successful tactic of attaching an HTML credential phishing file to an email,a threat actor can quickly and efficiently reach inb
79、oxes while exfiltrating credentials to a single point,using an often-trusted service.Among phishing emails reaching inboxes over the course of 2022,the utilization of Telegram bots as exfiltration destinations for phished information incr�������eased gradually but significantly,result�����ing in a year-over-yea
80、r increase of more than 800%Overall,in 2022 there was a 341%INCREASE in Web3 Technologies used in phishing campaigns.between 2021 and 2022.2023 Cofense Annual State of Email Security Report 10SECTION 2Downstream Impacts,Rans����omwareThe FBIs 2022 ICS report states that phishing email i������s the top crime f
81、or ransomware that targets organizations around the world.Ransomware is a primary downstream impact from email-based thre�����ats.In one common scenario,other ����malware families are delivered initially to gain a foothold,then followed by installation of ransomware anywhere from hours to weeks later.In anot
82、her scenario,a credential phishing email campaign gives the threat actor credentials they can use to access systems to deploy ransomware directly.In both cases,it is important to look upstream at the chain of events that led to the ransomware and determin������e the payloads delivered within the email.In
83、2021,there were well-known instances of BazarBackdoor being used to deliver ransomware.However,in 2022 there was a combination of phishing threats and we cannot point to one single major malware used to deliver ransomware.Rather than focusing on the outcome such as ransomware,readers sho�����uld focus on
84、 credential phishing,delivery mechanisms,and the malware type known as“loaders”which can be used to deliver ransomware.It is preferred to use tools to help prevent the delivery of malicious-based emails.Opera�������tors of malware families like Emotet and Qakbot that offer the services of installing other
85、malware o��������n already-compromised computers(called“malware-installation as a����� service”)are prime options for ransomware operators to gain initial entry.These services become partner or“affiliates”in a ransomware operation.In November of 2022,Qakbot was identified as the primary malware foothold used by
86、the Black Basta ransomware gang.While it is critical to monitor for ransomware at the endpoint,security teams may reduce the frequency and impact of endpoint events by focusing on credential phishing������� and an early-stage malware from malicious email campaigns that can in turn be used to deliver ransom
87、ware.We analyze these threats at great lengths and provide unique human-vetted expertise and analysis with actionable insights.We treat each malware infection as a potential vector for futu������re ransomware attacks,reverse engineer the payloads and trace the steps that led to the infection to enable our
88、 customers to determine the flaws in their defenses and prevent phishing attacks.Using solutions such as Cofense Intelligence to help detect and prevent infections,w����h������ile training employees to recognize and avoid interacting with malicious content can provide an intuitive line of protection that mach
89、ines are n������ot capable of.Phishing tactics are always evolving a�����nd becoming more complex.Big Breaches Data breaches in 2022 seemed to come fast and furious,impacting several high-profile brands in the security sector including Cisco,Okta and LastPass.Large data breaches like this can be part of a cycl
90、ical pattern that involves phishing,since data breaches can begin with a phishing attack or contribute to future phishing activity.In May 2022,Cisco experience������d a������� cyberattack where the attacker had to go to extreme lengths to hack into an employees personal Google account that contained passwords sy
91、nced from their web browser.Besides the credential theft,there was an additional element of phishing called vishing(voice phishing)and multi-factor authentication(MFA)fatigue where the threat actor prompt bombs the user with a flood of user authentications in hopes they will enable the attacke�����r to g
92、ain unauthorized access.Once the threat actor has a foothold,they build their own backdoor accounts for access.In August 2022,the Okta event occurred where th�����reat actors obtained credentials and unauthorized access to Workforce Identity Cloud(WIC)repositories hosted in GitHub and copied source code.
93、Days after the Okta event,LastPass had �������an incident where credentials were obtained to extract information from a backup stored in a cloud-based storage service.The adversary copied customer vault data which was stored in a“proprietary binary format����”that contained unencrypted data,website URLs,userna
94、mes and passwords,secure notes,and form-filled data.In August 2022,LastPass incident opened the door to an �����even larger data breach in December which included user account infor�����mation,billing,email addresses,telephone numbers and IP addresses.LastPass big data breach affected users across their produ
95、������ct suite,eventually disclosing loss of source code.In 2022,threat actors used a combination of phishing threats and we cannot point to one single major malware used to deliver ransomware.SECTION 2PHISH SWIMMING IN MURKY WATERS 2023 Cofense Annual State of Em������ail Security Report 11SECTION 2When large
96、data breaches occur,it often results in the exposure of sensitive documents,personal information of employees or customers,and system,network,and application credentials.Compromised credentials may provide the threat actors responsible for the breach with temporary illicit access,but after t����he breac
97、h is discovered and/or publiciz�����ed,it is much less likely that the credentials for those specific accoun������ts will be useable.Instead,other sensitive and proprietary information(especially if published by the threat actors)can be employed in future phishing campaigns.Email addresses may be added to phis
98、hing target lists,and business process information may be used to craft targeted spear-phishing emails.Threat actors can al�����so use information obtained from data breaches to conduct future credential phishing attacks.Credential stuffing attacks use stolen credentials from one website or system to gai
99、n access to other websites/systems where the user has the same credentials.Threat actors then continue the train of impacts by once again using any discovered sensitive information such as conta�������ct lists,new credentials,and business processes to boost future phishing activity and attacks.World Events
100、 Many major events happened across the globe over the course of 2022.Threat actors use these events on the world stage to design phishing campaigns.The Russia-Ukraine War captured the attention of many over the course of 2022.Cofense I������ntelligence observed a variety of phishing campaigns using the Ru
101、ssia/Ukrain�����e conflict.Threat actors are weaponizing the conflict for financial gain by creating well-crafted credential phishing campaigns and donation scams.Threat actors using current events as themes within their email campaigns is quite common,and users should be universally vigilant against the
102、se threats.We have also seen a combination of lure tactics with a variety of emails using the Russia/Ukraine war as a lure reported to the Cof���ense Phishing Defense Center directly from enterprise users inboxes.Other major world events used in campaigns include the death of Queen Elizabet�������h II and the
103、 Beijing Winter Olympics.We observed that it is signifi�����cantly more likely a tried-and-true phishing themes will be used rather than a stand-alone current event theme(as actors use a combination of methods and tactics).There will always be attempts to convince the receiver their mailbox is full and t
104、heir password needs to be updated.Attached invoices of all sorts will make it to peoples inboxes,along with shipping receipt������s,deposit receipts and voicemails.These sorts of lures were in the background throughout the year.Threat actors will be opportunistic with world events,but there is typically n
105、o reason to change from the more traditional(and dependable)lures,especially as those method�������s have proven to work.We continu�������e to monitor phishing threats related to world events and will continue to identify malicious campaigns that are using the current events as a lure to target end users.Blockcha
106、in,Cryptocurrency and NFT PhishingBlockchain technolog����y and cryptocurrencies are a popular topic for the gener������al media,and consequently,a target for threat actors seeking financial gain.The blockchain is a public ledger used to store virtual currency secured by cryptography,or cryptocurrency.This ty
107、pe of digital currency differs greatly from legacy currency,such that banking controls for legacy currency make it difficult,if not impossible,for attackers to move currency out of an account.In contrast����,a crypto wallet can be emptied almost immediately and the funds are unrecoverable.Throughout 202
108、2,we observed crypto-themed emails and phishing campaigns see������king to obtain digital wallets that contain tokens,but these are not the only malicious purposes for the digital assets.Due to the less-than-secure account controls,cryptocurrency is commonly used as payment methods for ransomware and sext
109、ortion campaigns,as well as within advance-fee and romance scams.Certain malware families also seek to steal cryptocurrency wallet keys stored on infected machines,while others are designed to use an i������nfected machine to mine cryptocurrencies.T��������hreat actors use sensitive information such as contact li
110、sts,new credentials,and business processes to boost future phishing activity and attacks.2023 Cofense Annual State of Email Securit������y Report 12SECTION 2FIGURE 8:THE BLOCKCHAIN AND CRYPTOCURRENCIES IN PHISHINGSextortionAdvance-Fee ScamRomance ScamCRYPTO MALWARECRYPTO-THEMED PHISHING EMAILSEMAIL SCAMSF
111、INANCIAL FRAUDRANSOMWARE PAYMENTSThe Blockchain and Cryptocurrencies in PhishingWe analyzed an uptick in crypto phishing emails,��including one observation where threat actors used a convergence of crypto and the Russia/Ukraine war.The phishing email used the current Russia/Ukraine war as a lure to st
112、eal Bitcoin wallet data.We also detected another phishing threat spoofing OpenSea just days before ������they reported a successful attack that impacted seventeen users to steal over$1.7 million worth of non-fungible tokens(NFTs).This campaign used the ��������excitement of a sweepstakes prize to lure victims to
113、a spoofed OpenSea landing page.Threat actors used the domain“open-sia.io”to host the phishing page,which appears similar to the legitimate site.Once on the site,users were met with a spoofed OpenSea home page with the a������ddition of a prize NFT at the top of the page.Users were requested to connect the
114、ir wallet to claim the prize,even if it is already connected to their OpenSea account.Threat actors were seeking to gain access to a victims digital wallet by requesting they enter their private key,mnemon������ic phrase,or attach their keystore file.The email was strategically craft�����ed by threat actors an
115、d was successful in reaching enterprise users.Again,threat actors use multiple phishing methods to lure victims to obtain credentials for theft.Crypto tokens are fungible,meaning they can be bought and traded several times much like a company stock.NFTs are also stored o�����n the blockchain but are non-
116、fungibl������e,and they are often defined as one-of-a-kind tokens that can be depicted by anything digital such as a drawing or animation.Cryptocurrency and NFTs have both become a way to make pur�������chases,exchange currency,and invest.Organizations and users often exchange cryptocurrency and NFTs through onl
117、ine platforms like OpenSea or Coinbase.Many crypto-and NFT-themed phishing emails we have seen can be classified as credential phishing and are oft�������en finance-themed.Threat actors will spoof secure online platforms and even include links to domains they have registered that appear similar to legitima
118、te sites.The overall goal of these campaigns is to gai������n access to a users digital crypto wallets or NFTs,which are often acco������mplished by compromising login credentials,private wallet keys,security phrases,and keystore files.As a comparison,using SWIFT to send a bank wire can have some success in rec
119、overing a wayward wire sent to the wrong account number.This is not the case for digital assets;once tokens are sent to a new wallet,the assets are not recoverable.Thi����s greatly increases the appeal of these attacks for the financially ������motivated threat actor.Crypto Phishing has seen a spike due to th
120、e transition from private individual use to increases in corporate and investment use.Once tokens are sent to a new wallet,the assets are unrecoverable for the financially motivated threat actor,which greatly increases the appeal of future attacks.2023 Cofense Annual State of ������Email Security Report 1
121、3SECTION 2Energy Sector(Critical Infrastructure)on High AlertEnergy companies and other critical infrastructure organizations were on high alert in 2022,following a series of high-profile ransomware and phishing email-based at�������tacks observed in the previous year.Although they remained prime targets f
122、or high-volume credential phishing campaigns th������roughout the year,fewer organizations were breached compared to 2021.We tracked an advanced campaign in 2022 that targeted the energy sector with the majority of its emails.The threat actors used chemical supply companies as themes or spoofed senders��.We
123、 reported that 100%of the observed emails spoofing or themed ar������ound chemical supply targeted the energy sector.Malicious HTML AttachmentsFrom 2021 to 2022 we observed an increase of over 300%in HTML files delivering malware.This was particularly driven by QakBot,which used HTML files that were eithe
124、r attached or downloaded via �����links embedded in the email in many of its campaigns.QakBots last campaign using Office macros was mid 2022,but QakBot threat actors began experimenting before that������� point with other delivery mechanisms,particularly HTML files,in early Q2 of 2022.Overall usage of HTML fil
125、es as a delivery mechanism started to ramp up in early March,which coincided with Microsofts announcement that macros would be disabled in����� its Office products.In addition to their increasing use in malware delivery,HTML files also continued to be used to deliver������ credential phishing throughout the ye
126、ar.In total,we observed a 295%increase in the use o��������f malicious HTML files across both malware delivery and credential phishing throughout th����e year.FIGURE 9:USE OF HTML ATTACHMENTS IN MALICIOUS EMAIL CAMPAIGNSJAN00500600FEBMARAPRMAYJUNEJULYAUGSEPTOCTNOVDEC20212022In total,we observed a 295
127、%increase in the use of malicious HTML files across both malware delivery and credential phishing throughout the year.2023 Cofense Annual State of Email Sec����urity Report 14SECTION 2Adobe is the Top Domain Abused to Deliver Phishing EmailsIn 2022,Cofense Intelligence reported that the abuse of hosting
128、 providers to deliver malicious files has b����ecome a popular method for threat actors to bypass security and deliver malware in credential phishing attacks as seen in Figure 10.It is common to see trusted cloud providers l����ike Amazon AWS,Google,SharePoint,and other well-known organizations such as Adob
129、e abused by threat actors.Lately,a wider variety of ������less-common hosting providers have been seen.In some cases,fake providers have been created by threat actors such as C domains.Threat actors abuse legitimate services such as Dropbox,DocuSign,and other legitimate and trust����ed domain names in order t
130、o ensure malicious emails reach inboxes.FIGURE 10:TOP DOMAINS ABUSED IN PHISHING EMAILS REACHING INBOXESADOBE5.52%4.15%3.60%1.32%1.26%1.16%�������1.08%1.02%0.93%0%1%2%3%4%5%6%SHAREPOINTGOOGLECANVAAMAZON AWSEVERNOTEDROPBOXBOXMICROSOFT CLICKFUNNELS0.88%FIGURE 11:TOP LEVEL DOMAINS(TL������DS)USED IN CREDENTIAL PHIS
131、��������HING IN 2022COMNETORGIOCOCOM.BRMSINXYZME0%10%20%30%40%50%60%54.28%7.23%2.45%2.33%2.05%2.00%1.29%1.26%1.24%1.22%2023 Cofense Annual State of Email Secu�������rity Report 15SECTION 2Top Malicious Attachment Types Reaching InboxesCofense Intelligence identified file attachments such as.pdf,.html,and.htm,as th
132、e top 3 file extensions on email attachments that reached us������ers in SEG-protected environments as seen in Figure 12.In Q4,for the first time in quite a while,.pdf no longer made up more than.htm and.html files combined,as overall HTML attachment usage rose to 44.97%of the total.The file extensions of
133、.pdf,.html,.htm,.shtml,and increasingly.xlsx are typically used for ������credential phishing.It is i�������mportant to note that.pdf and.xlsx files will contain links to credential phishing pages,while.html,.htm,and.shtml will either present a credential phishing page when opened or automatically redirect to on
134、e.Next,the file extensions in the top 10(.docx and.xlsx)were most often used to deliver malware via a known vulnera���bility and bug called Microsoft Office Memory Corruption Vulnerability(CVE-2017-11882)that allows the attacker to perform arbitrary code-execution.Also,.docx and.xlsx have been seen in
135、malicious Office macros as this approach is easy to execute and has extremely low barriers t��������o entry which remains a method to watch in 2023.We have identified that.docx and.xlsx have been seen delivering small volumes of credential phishing via embedded URLs.The archive compressed file name in the t
136、op 10(.zip)was used to deliver such a wide variety of malware and phishing that i�������t is impossible to narrow it down t�������o a single most commonly delivered threat.FIGURE 12:TOP ATTACHMENT TYPES USED IN PHISHING EMAILS REACHING INBOXES.pdf.html.htm.docx.zip.shtml.xml.xlsx.shtm.ics42.96%25.47%15.10%0%5%10%
137、15%20%25%30%35%40%45%50%2.92%2.86%1.62%1.50%1.29%��������0.67%0.59%Emotet Phishing Emails Exploit 2022 Tax Season,Spoofing IRSDuring the 2022 tax season,Emotet consistently employed financial themes in its phishing campaigns and has exploited the arrival of the United States tax season to construct emails t
138、argeting end users who need to file tax returns.In March 2022,Cofense Intelligence observed phishing emails using W-9 tax form lures to deliver Emotet payloads.In past years,we reported on Emotet takin�����g advantage of tax season to deliver W-9 themed malicious documents;in 2022,the tactic was further
139、improved.Emotet operators started to include the United States IRS logo,������a specific mention of the organization employing individual recipients,and a password to access the attached password-protected archives.When the Office macro-laden spreadsheets enclosed in the password-protected archives were o
140、pened,a request to enable macros is presente������d to the user,and if they accept/allow macros ����to be enabled,Emotet.dll files are delivered to the victims computer.2023 Cofense Annual State of Email Security Report 16SECTION 2Return of Emotet Phishing Emails In the beginning of Q3,we saw large volumes of
141、 Emotet emails,until around mid-July when the campaign activity ceased.L�������ater in October and November,we saw a sudden increase in Emotet C2 traffic.Emotet began send����ing malicious emails after three months of relative inactivity.It is suspected that Emotet authors were using their downtime to make sig
142、nificant changes intended to improve the effectiveness of their malware delivery campaigns.In the past,Emotet authors have been k����nown to make significant changes to the malwares delivery methods before coming back from extended hiatus.Malware Foothold:QakBotCofense Intelligence identified QakBot as
143、one of the malware families to watch in 2022.Throughout the year,it was the top malware family seen in phishing emails reported to the Cofense Phishing Defense Center(PDC)from inboxes.The success rat������e of the phishing emails reaching enterprise inboxes can be attributed to the use of hijacked email t
144、hreads and embedded URLs,among other tactics,techniques,and procedures that are known to aid in bypassing security.In Q3 of 2022,threat actors using the new version 5 of QakBot made several changes�������� to their phishing tactics.The most notable new tactic employs attaching malicious HTML files to delive
145、r the payload.This new tactic does not utilize an embedded payload or redirect URL,as typical of most malicious emails delivering via HTML file attachments.Instead,the malicious payload is hardcoded into the HTML file,dropping when the HTML is executed inside the browser.This makes the de����livery mech
146、anism versatile and stealthy.The HTML file drops the payload locally����� without having to reach out to an external resource.QakBot continues to evolve defensive mechanisms against malware analysis,and phishing emails delivering QakBot continue to successfully reach inboxes.This makes QakBot the malware
147、 family to continue to watch,especially since a successful QakBot infection can lead������ to more costly threats like ransomware.The QakBot banking trojan,also known as QBot or Pinkslipbot,was first released in 2007 and has become a prominent threat that is effective at reaching users inboxes.Throughout
148、2022,we saw QakBo�����t campaigns go to extensive lengths to bypass security measures,avoid detection,and obstruct analysis ta������ctics.The most notable changes were to the delivery of the malware,but we also saw the malware itself receive updates particularly to the command-and-control servers when QakBot u
149、pdated to version 5 in September.JANFEBMARAPRMAYJUNEJULYAUGOCTDECSEPTNOVQakBot undergoes its first major change in delivery mechanism since 2022 and begins to use Microsoft Windows Ins������taller files(.MSI)CVE-2022-30190 also known as the Follina exploit was abused in phishing emails delivering QakBotTh
150、e QakBot malware receives updates,the new variant is referred to as versi�������on 5QakBot phishing campaigns begin to use LNK shortcut files(.LNK)QakBot phishing emails begin to use HTML smuggling to deliver the malwareFIGURE 13:QAKBOT MALWARE F�������AMILY TIMELINENear the beginning of 2022,Microsoft announced
151、they will be changing the default Office settings to block Visual Basic for Applications(VBA)mac������ros from files downloaded from the internet which was expected to disrupt malicious use of the macros.As such,we saw major malware families such as QakBot seek new delivery mechanisms.More p��������articularly,Qa
152、kBots delivery methods changed drastically for the first time since June 2020.QakBot operators tried several new delivery mechanisms to deliver and install their malware;Microsoft Windows Installer(M������SI files),LNK shortcut files,the Follina exploit(CVE-2022-30190)an�����d HTML smuggling.2023 Cofense Annua
153、l State of Email Security Report 17SECTION 2Noteworthy MentionsPhishing Attacks Supported by Illicit Marketplaces “Phishing as a Service(PaaS)”For years,illicit online marketplaces have been a critical part of the phishing thr����eat landscape,allowing threat actors to buy and sell access to compromised
154、 accounts and servers to phishing activity.This reality continued throughout 2022,as phishing threat actors presented a consistent demand for compromised email accounts and websites.As an illustration,we conducted a focused study of several publicly available online shops running a pl�������atform named Of
155、ux,which offers everything a phishing threat actor might need:email send����ing capability,access to websites for hosting malicious content,and access to hacked individual email accounts.Threat actors who compromise accounts and websi������tes may choose not to expand their efforts into phishing or spam opera
156、tions,but these marketplaces still give them a chance to monetiz����e their work.Meanwhile,buyers can take advantage of access to reputable assets at low prices.Further,the�����“Phishing as a Service”business model provides phishing kits and cybercriminals as a managed service for threats in todays marketpla
157、ce.Phishing cam������paigns that use such legitimate but compromised assets are more likely to reach targeted users,highlighting the need for robust email defenses,and even stronger employee/user education.Conti Leaks Demonstrated Importance of Phishing in Ransomware OperationsCofense Intelligence provide
158、d analysis on the Conti Ransomware Gang Leaks in 2022,which became a valuable resource for security researchers.The leaks could also be used by threat actors with a desire to emulate Conti activity.Seeing the strategies,tactics,resources,profits,and daily discussions of a �������premier ransomware group co
159、uld demystify their activities and convince others that a similar operation is feasible.The Conti leaks bore several important lessons for those defending against both ransomware and phishing.For us,the combined takeaway of these lessons is that phishing was central to Contis success.At the t�������ime of
160、the leaks,they were continuin������g to invest massive resources into it as a pillar of their lucrative ra����nsomware operation.Conti paid operators of malware such as Emotet and Trickbot to conduct phishing campaigns and establish footholds in target organizations before distributing those footholds to a te
161、am of hackers who specialize in expanding access.Some of Contis specialists were involved in crafting semi-random phishing templates to increase vi����ctim click rates.Conti members and affiliates were thoroug������hly attentive to email security measures and tested to make sure their emails reach inboxes on
162、popular platforms.Contis phishing and intrusion operators are taught to pay attention to cybersecurity research on their own activity.This could potentially motivate new ransomware operators ����to enter the landscape,improve the operations of existing low-level ransomware operators,and/or entice recrui
163、ts to join phishing operations that support ransomware.The leaks may also cause existing threat actors to become more concerned with the security of their operations.2023 Cofense���� Annual State of Email ������Security Report 18SECTION 2FIGURE 14:OPERATE AS BUSINESS TOP TO BOTTOM MODELDEPARTMENTDESCRIPTION C
164、-SUITESets design and targets businesses EASTERN EUROPE,WEST AFRICA IT WINGCarries out hacking,malware,email �������monitoring GLOBAL HR/RECRUITMENTRecruits IT wing,financial actors EASTERN EUROPE,WEST AFRICA FINANCE/BANKINGSets process for wire transfers and money laundering GLOBAL,LOCAL ENFORCERSEnsures
165、financial cooperation and following of orders GLOBAL ADMINSMaintain shell companies and legitimate business liaisons LOCAL BURN PARTYAfter successful schemes,ente����rprise burns all materials GLOBALSource:US Secret ServiceWhaling in Bulk Targeted phishing efforts against executives and other high-profi
166、le individuals are often referred to as“whaling”within the security industry.While“whaling”emails can be extremely customized for a single individual,they can also be conducted in bulk with a considerable failure rate,but with minimal effort in hopes that one email will be������ successful.As a prime exam
167、ple,we reported on a credential phishing campaign that spoofed DocuSign and bypassed SEGs in 2022.Through initial collaboration with Cofense Intelligence customers and������� subsequently with the Cofense Phishing Defe��nse Center(PDC),we determined that it was a whaling campaign to exclusively target execut
168、ive-level employees,primarily CFOs.Emails from the campaign were sent to executives with the CFO title,but were also seen targeting CEOs,directors,and board members.The campaign targeted ����indivi�����duals in the insurance,real estate,manufacturing,professional services,and mining sectors.The emails spoofe
169、d DocuSign and cl����aimed to deliver documents related to settlement ����agreements and other financial documents.2023 Cofense Annual State of Email Security Report 19SECTION 2Industry OverviewHEALTHCARE Hit hard with BEC Resilience is a bit lower than the overall average.This workforce tends to be more li
170、kely to access email via mobile devices,with a lag in reporting time.FINANCIAL SERVICES Greatest visibility across simulation and threats seen by PDC Highest resiliency rate for simulations,driven by a mature reporting culture Highly regulated,driving scenario frequencyUTILITIES The second ������highest t
171、hat observed threat unavailable,which aligns with the geofencing or restricted user �����agents as this industry saw increased threats related to political tensions.PROFESSIONAL Highest BEC 3x the overall average Significant increase in BEC threats over previous year Resiliency rate is almost a point low
172、er than the overall rateREAL ESTATE Hit hard with credential phish 6 percentag����e points above the overall average One of the lowest gro�������ups experiencing BEC,but with the nature of their business model,more likely seeing more via SMS requestsGOVERNMENT Credential phish and BEC top the category most see
173、n by this industry2023 Cofense Annual State of Em������ail Security Report 20SECTION 2FIGURE 15:COFENSE PHISHING DEFENSE CENTER INDUSTRY TRENDSCredential PhishingBECMalwareThreat UnavailableADMINISTRATIVEUTILITIESTRANSPORTATIONTRADERETAILREAL ESTATEPUBLICPROFESSIONALMININGMANUFACTURINGINFORMATIONHEALTHCAR
174、EFINANCIALSERVICESEDUCATION5%45%7%43%11%64%3%22%7%6��������0%4%29%21%58%2%19%5%59%4%3��������2%9%61%2%28%6%64%3%27%30%51%1%18%12%79%0%9%3%74%2%21%7%67%2%24%7%66%5%22%7%72%2%19%3%50%10%37%SusceptibleReport%ResiliencyACCOMMODATIONADMINISTRATIVEAGRICULTURECONSTRUCTIONEDUCATIONENTERTAINMENTFINANCE AND INSURANCEHEALTHCA
175、REINFORMATIONMANAGEMENTMANUFACTURINGMININGOTHER SERVICESPROFESSIONALPUBLICREAL ESTATERETAILTRADETRANSPORTATIONUTILITIES5%14%11%13%15%20%16%21%39%25%26%24%32%36%8%9%8%9%18%10%9%13%8%15%9%10%8%10%�����6%5%31%31%26%28%24%29%27%21%19%36%2.63.1.05.04.041.34.32.22.63.72.70.62.61.73.02.43.32.45.56.6FIGURE 16:SI
176、MULATION INDUSTRY TRENDS2023 Cofense Annual State of Email Security Report 21SECTION 3How to Enhance your Email Security With the increase in ransomware,nation state �������attacks,and major incidents in general,pressure continues to drive visibility of an organizations Information Security program by boar
177、ds,corporate executives,and cyber insurers.With this pressure,organizations continue to evaluate ways to mitigate r������isk and assess what controls need to be added or enhanced.By adding controls to their email security program,organizations can raise their overall security p���������osture.We observed that cust
178、omers with a full End-to-End Email Security solution,as seen in Figure 17,have a resilience rate double that of customers with simulat������ion-only programs.We continue to encourage organizations to align their simulation program to threats making it past their SEG and landing in inboxes.With credential
179、phish continuing to lead the way for real phishing threats,organizations continue to experience an i����ncreased appetite for use of real-life simulations.Last year,we reported only 29%of scenarios used a credential threat,while this y�������ear this category increased to 34%of scenarios.We also observed a sli
180、ght increase in attachment scenarios.This too aligns with the threats we observed as���� threat actors continue to leverage.html/.htm files that are difficult to block.FIGURE 17:END-TO-END EMAIL SECURITY VS SIMULATION ONLYP��������HISHME ONLYEND-TO-END EMAIL SECURITYSusceptibility RateReport RateResiliency Rate
181、11%25%8%2430%FIGURE 18:RESILIENCY B�������Y THREAT TYPEATTACHMENTURLCREDENTIAL13%26%7%29%2%24%Susceptibility RateReport RateResiliency Rate2410 SECTION 3SO NOW WHAT?With credential phish continuing to lead the way for real phishing threats,organizations continue to experience an����� increased appetite for use
182、of real-life simulations.La�������st year,we reported only 29%of scenarios used a credential threat,while this year this category increased to 34%of scenarios.PDC customers are 2x as resilient as customers who use PhishMeWith credential phish as the top threat,according to our simulations,youre more resili
183、ent to this threat type.2023 Cofense Annual State of Email Securit�������y Report 22SECTION 3FIGURE 19:SCENARIO TYPE USAG�������E BY YEARATTACHMENTURLCREDENTIAL2022202113%12%54%59%34%29%Still need more recommendations to enhance your program and strengthen your reporting culture?Lets review the use case detailed
184、in Figure 20 below.This organization in Figure 20 started running its simulation program in 2019 but wanted s������tep up the reporting culture.The program operator engaged our Professional Services team to identify real phish that were already being reported by users to use for their simulation campaigns
185、.The team launched a 5-day phishing simu�����lation bootcamp to bolster reporting among users that were not actively using the Reporter button.Over the year,the team also adopted a new hire simulation program and addressed repeat clickers.As you can see from the results in Figure 20,not only did they red
186、uce their susceptibility rate,but their reporting rate �����had a double-digit increase.What you cant see from these numbers ������is the effect this had on reducing the amount of non-malicious emails being reported,such as spam and business communications.Why is this a big deal?Ask your SOC!FIGURE 20:YEAR-OVE
187、R-YEAR RESILIENCY IMPROVEMENTMETRICS20222021RESILIENCY5.133.59SUSCEPTIBILITY8%10%REPORTI�������NG42%29%What you cant see from these numbers is the effect this had on reducing the amount of non-malicious emails being reported,such as spam and business communications.Why is this a big deal?Ask your SOC!2023
188、Cofense Annual State of Email Security Report 23SECTION 3Malware Remove local admin rights.Without the ability to run code locally,this will reduce the risk of malware executing if the user interacts with a malicious file or������ website.Attachments Threat actors continuously tune their tactics to land i
189、n the inbox and the same holds true with file attachments.As technology controls implement new configurations to block file types used by threat actors,they pivot to something new.Block malicious file types.This list continues to expand as threat actors leverage new file types to land in the inbo�������x.D
190、oes your organization need to accept.html/.htm files externally?Who sends OneNote files externally?PDFs.This used to be the“safe”file type.No longer.Not only do threat actors embed links to login pages to steal credentials,we now observe PD�����Fs delivering malware via a chain of links embedded within t
191、he PDF document.Credential Phishing Disable auto-forward������ing rules across the organization.Unable to fully block?Review rules to work with the business to allow exceptions for legitimate business needs.Resetting a users credentials due to a recent campaign?Check the auto-forward rules and remove rogu
192、e rules potentially set up by threat actor.Continue to increase the cadence of simulation scenarios using this threat type.Its not always easy to coordinate these campaigns but think of it as a tabletop exercise!Cust������omize your Microsoft landing page with your company logo.Communicate to the organiza
193、tion to report any landing pages that dont fit the corporate branding standards.Enable MFA.Enhance the authentication experience to help users avoid����� MFA exhaustion.Microsoft recently provided additional enhancements for this very reason number matching and location of request.BEC/Vendor Email Compro
194、miseThis threat type is very difficult to simulate.Even when you make efforts to simulate something similar to what your organization might experience,you run the risk of overburdening your executive team that may need to respond to users trying to verify if they sent the email.Ask your CEO an�����d othe
195、r senior executives to talk about this threat in company all-hands meetings and inform the company they w�������ill never ask for“special favors”or gift card purchases.Send newsletters with real examples of phishing messages reported��� by users.Peer recognition can go a long way!Collaborate with your finance
196、 team to review and update processes related to vendor master changes related to the banking informat���������ion.Many SEGs allow configuration settings that will allow increased protections by blocking executive spoofing or allowing free email account domains.Do you need to allow accounts to send external e
197、mail?REPORT!Report any losses to law enforcement.No matter the size of the loss,its critical to report these incidents.The US Secret Service established a Global Incident Opera������tions Center(GIOC),specific to BEC,to bring charges against these threat groups.Its been reported that a small$4,000 loss wa
198、s able to be matched against a larger crime.Time is of the essence.If the loss is reported within 24 hours,the likelihood of reclaiming even a portion of the loss increases.Checklist:Protect Your Organization from Top Threats2023 Cofense���� Annual State of Email ����Security Report 24CONCLUSIONAs the threa
199�����、t landsc��������ape continues to evolve and threat actors continue to find more sophisticated ways to bypass standard email security solutions,your organization needs the resources that can enable them to identify,protect,detect and respond to all email security threats.And thats exactly our mission.Cofense
200、 was built on the foundation that humans are critically �����important to your security program.Threat actors are constantly targeting peoples hopes,fears,emotions,struggles and sympathies,to trick them into divulging their credentials.If your employees arent trained properly,divulging these credentials
201、opens your company to ransomware,malware and many other potential threats.Thats why it all starts with providing them with REAL simulations that replicate the REAL threats hitting their inboxes and putting tools in their fingertips to report those quickly and easily.Once thes������e malicious or sus�����piciou
202、s em�����ails are reported,we analyze these threats at great length and provide intelligent,human-vetted expertise and analysis with actionable insights.We treat each malware infection as a potential vector for future ransomware attacks,r������everse engineer the payloads and trace the steps that led to the in
203、fection to enable our customers to determine the flaws in their defenses and prevent phishing attacks.That intelligence,combined with our global network of more than 35+million human reporters,enables us to have unique insights into email threats targeting your organization.Som������etimes even detecting
204、and removing advanced attacks BEFORE they reach your inbox.How,you ask?With our real-time,crowdsourced intelligence.If a malicious email is �����reported by a user in our global network,it can then be automatically quarantined from other inboxes,highlighting the power of the network e����ffect.Cofense email
205、security expertise is built on human experience with millions of suspicious and malicious emails.These emails are crowdsourced from professionals all around the world,processed,enriched,and������� analyzed to provide a unique view of what the phishing landscape looks like as we move forward into 2023.This
206、crowdsourced methodology provides Cofense an unparalleled aperture into t����he malicious emails reaching enterprise inboxes,providing customers the opportunity to react.We������� know that phishing tactics are always evolving and becoming more complex.So,our Cofense Intelligence provides a human-vetted layer
207、t������o pinpoint the actual phishing emails out of the noise of suspicious-looking spam,rank those threats,and provide the automation to remove those phishing emails within seconds or minutes of reaching the inbox.Looking a�������t 2023 and beyond,we know email will continue to be one of the top attack vectors
208、for cyber threats,and we are committ������ed to providing best-in-class email security to keep our customers secure.With the only end-to-end email security solution powered by global intelligence from 35+million human reporters,AI and machine le����arning,our solutions are made to evolve with the ever-changin
209、g landscape.To meet those demands,we continue to enhance our APIs,while als������o expanding our integration partnerships,allow�����ing you to quickly identify threats hitting the inbox and moving those IOCs to your other controls to defend against the adversary quickly.As we continue to integrate with world-c
210、lass partners around the globe,we couldnt be more excited to build on our 2022 momentum as we continue to strengthen our portfolio of email security solutions.Cofense email security expertise is built on human experience with millions of suspicious and malici�����ous emails.These emails are crowdsourced
211、from professionals all around the world,processed,enriched,and analyzed to�������� provide a unique view of what the phishing landscape looks like as we move forward into 2023.This crowdsourced methodology pro�����vides Cofense an unparalleled aperture into the malicious emails reaching enterprise inboxes,provid
212、ing customers the opportunity to react.2023 Cofense Annual State of Email Security Report 25APPENDIXList of FiguresFigure 1:Top Themes in Active T�������hreat Reports .3Figure 2:Active Threats Removed from Employee Mailboxes:17,133 .3Figure 3:Percentage of Malicious Emails Missed by SEG in������� 2022 .4Figure 4:
213、Malicious Threats Observed by PDC .5Figure 5:Top 5 Malware Families in 2022 .6Figur������e 6:Malware Characteristics .6Figure 7:BEC Domains .8Figure 8:The Blockchain and Cryptocurrencies in Phishing .12Figure 9:Use of HTML Attachments in Malicious Email Campaigns .13Figure 10:Top Domains Abused in Phishin
214、g Emails Reaching Inboxes .14Figure 11:Top Level Domains(TLDs)Used in Credential Phishing in 2������022 .14Figure 12:Top Attachment Types Used in Phishing Emails Reaching Inboxes .15Figure 13:Qakbot Malware Family Timeline .16Figure 14:Operate as Business Top to Bottom Model .18Figure 15:Cofense Phishing Defense Center Industry Trends .20Figure 16:Simulation Industry Trends .20Figure 17:End-t���������o-End Email Security vs Simulation Only .21Figure 18:Resiliency by Threat Type .21Figure 19:Scenario Type Usage by Year .22Figure 20:Year-Over-Year Resiliency Improvement .22COFENSE.COM
sgpjbg002
工作日 8:30 - 17:30
报告分类
