Microsoft’s review of how phishing has evolved over the last year highlights some of the great lengths attackers will go to in order to avoid being detected as a phishing campaign.
When you think about a phishing campaign, the obvious simple scenario likely comes to mind: an email containing a malicious executable attachment is presented to a user containing some form of social engineering scam to get the user to engage with the attachment.
But most phishing emails that fit the description above are flagged by security solutions well-before the ever see the light of an Inbox. And so, attackers have had to become very crafty, looking for ways to get a seemingly benign email all the way in from of the intended potential victim without triggering any alarms.
According to a Microsoft blog covering some of the innovative ways they’ve seen phishing attacks evolve over the last year, and shared some of the more notable attacks, including:
- Pointing email links to fake google search results that point to attacker-controlled malware-laden websites
- Pointing email links to non-existent pages on an attacker-controlled website so that a custom 404 page is presented that can be used to spoof logon pages for legitimate sites
- Spoofing company-specific Office 365 sign-in pages to look so realistic that users would give the logon page a second thought
These advancements in the way attackers are thinking about phishing to facilitate endpoint infection or credential theft make it necessary for organizations to no longer consider their security solutions as their only line of defense. Users must become the last line of defense, playing a role in organizational security. Through continual Security Awareness Training, users can become familiar with phishing tactics, and be trained to have an “always-suspicious” mindset when interacting with email or the web.
For more on Microsoft’s findings on the latest evolution of phishing, click here.