Detections for malicious email forwarding rules have risen by nearly 600 percent in 2023, as adversaries compromised email accounts, redirected sensitive communications to archive folders and other places users are unlikely to look, and attempted to modify payroll or wire transfer destinations, re-routing money into the criminal’s account.
This is one of the findings in the latest Threat Detection Report from Red Canary. Half of the threats in top 10 leverage malvertising and/or SEO poisoning, occasionally leading to more serious payloads like ransomware precursors that could lead to a serious attack if not detected.
The report also finds cloud account compromise was the fourth most prominent attack technique, rising from 46th in 2022, increasing 16 times in detection volume and affecting three times as many customers in 2023 than in 2022.
Red Canary notes several broader trends impacting the threat landscape, such as the emergence of generative AI, the continued prominence of remote monitoring and management (RMM) tool abuse, the prevalence of web-based payload delivery like SEO poisoning and malvertising, the increasing necessity of MFA evasion techniques, and the dominance of brazen but highly effective social engineering schemes such as help desk phishing.
“The top 10 threats and techniques change minimally year over year, so the drift that we’re seeing in the 2024 report is significant. The rise of cloud account compromises from 46 to number four is unprecedented in our dataset — and it’s a similar story with email forwarding rules,” says Keith McCammon, chief security officer at Red Canary. “The golden thread connecting these modes of attack is identity. To access cloud accounts and SaaS applications, adversaries must compromise some form of identity or credential, and one that is highly privileged can grant an adversary untold access to valuable accounts, underscoring the critical importance of securing corporate identities and identity providers.”
Emerging techniques include container escapes — where adversaries exploit vulnerabilities or misconfigurations in container kernels and runtime environments to ‘escape’ the container and infect the host system — and reflective code loading, allowing adversaries to evade macOS security controls and run malicious code on otherwise hardened Apple endpoints.
You can see the full report on the Red Canary site.
Image credit: lightkeeper/depositphotos.com
