The Better the Phishing Protection Gets, the More Sophisticated Phishing Attacks Are Getting

Digital security lockMicrosoft’s review of how phishing has evolved over the last year highlights some of the great lengths attackers will go to in order to avoid being detected as a phishing campaign.

When you think about a phishing campaign, the obvious simple scenario likely comes to mind: an email containing a malicious executable attachment is presented to a user containing some form of social engineering scam to get the user to engage with the attachment.

But most phishing emails that fit the description above are flagged by security solutions well-before the ever see the light of an Inbox. And so, attackers have had to become very crafty, looking for ways to get a seemingly benign email all the way in from of the intended potential victim without triggering any alarms.

According to a Microsoft blog covering some of the innovative ways they’ve seen phishing attacks evolve over the last year, and shared some of the more notable attacks, including:

  • Pointing email links to fake google search results that point to attacker-controlled malware-laden websites
  • Pointing email links to non-existent pages on an attacker-controlled website so that a custom 404 page is presented that can be used to spoof logon pages for legitimate sites
  • Spoofing company-specific Office 365 sign-in pages to look so realistic that users would give the logon page a second thought

These advancements in the way attackers are thinking about phishing to facilitate endpoint infection or credential theft make it necessary for organizations to no longer consider their security solutions as their only line of defense. Users must become the last line of defense, playing a role in organizational security. Through continual Security Awareness Training, users can become familiar with phishing tactics, and be trained to have an “always-suspicious” mindset when interacting with email or the web.

For more on Microsoft’s findings on the latest evolution of phishing, click here.

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews