Hackers use Russian domains to launch complex document-based phishing attacks
- Data exfiltration tactics are shifting towards Russian domains
- Remote access trojans see a 59% increase in phishing emails
- Malicious emails now bypass secure gateways every 45 seconds
New research has revealed a significant increase in malicious email activity and a shift in attack strategies.
On average, at least one malicious email every 45 seconds bypasses Secure Email Gateways (SEGs) such as Microsoft and Proofpoint, marking a notable increase from last year’s Cofense Intelligence Q3 figure of one every 57 seconds. Trend report showed.
There has been a sharp increase in the use of Remote Access Trojans (RATs) that allow attackers to gain unauthorized access to a victim’s system, often leading to data theft or further exploitation.
Increase in the use of Remote Access Trojan (RAT).
Remcos RAT, a commonly used tool among cybercriminals, is a major culprit in the rise of RAT attacks. It enables remote control of infected systems, allowing the attacker to exfiltrate data, deploy additional malware, and gain permanent access to compromised networks.
Open redirects as a technique in phishing campaigns are also gaining prominence, as the report shows that their use has increased by 627%. These attacks exploit the functionality of legitimate websites to redirect users to malicious URLs, often masking the threat behind known and trusted domains.
TikTok and Google AMP are often used to carry out these attacks, taking advantage of their global reach and frequent use by unsuspecting individuals.
The use of malicious Office documents, especially those in .docx format, has increased dramatically by almost 600%. These documents often contain phishing links or QR codes that direct victims to malicious websites.
Microsoft Office documents remain a popular attack vector due to their widespread use in corporate environments, making them ideal for targeting organizations via spear-phishing campaigns.
Additionally, there has been a significant shift in data exfiltration tactics, with increasing use of .ru and .su top-level domains (TLDs). Domains using the .ru (Russia) and .su (Soviet Union) extensions saw usage spikes of more than fourfold and twelvefold, respectively, indicating that cybercriminals are turning to less common and geographically associated domains to evade detection and making it more difficult for victims and security teams to track data theft activities.