The cyberthreat landscape continues to evolve and change in often unprecedented ways. Q1 this year saw a number of key events unfold—most notably, the resurgence of the nefarious botnet Emotet, the ongoing conflict in Ukraine, and the widespread Conti gang leaks. But what should organizations be worried about?
Phishing detection, response, and intelligence company Cofense has recently released the latest edition of its quarterly Phishing Threat Intelligence Review. Designed to help businesses understand looming threats in an evolving landscape and bolster their defenses against them, the report covers key trends observed throughout Q1 2022 and is based on Cofense’s firsthand analysis of millions of emails and malware samples.
To find out more about the key findings of the report and to shed some light on how these trends are set to impact the current threat landscape, we spoke with Mollie MacDougall, director of threat intelligence at Cofense.
MacDougall began her career at the U.S. House Foreign Affairs Committee in 2015, later moving over to the Department of Homeland Security, where she focused on threats to U.S. critical infrastructure and federal networks. After joining Cofense in 2018—which was previously known as PhishMe—MacDougall presently oversees the strategic direction of the company’s intelligence product.
Can you talk us through some of the key trends that the report identified for 2022 and the kind of challenges that these present to the threat landscape?
First, what we’re seeing very predominantly is how Emotet’s re-emergence at the end of last year has impacted the broader phishing landscape over the last quarter. We’ve really seen a spike that impacted not just trends in malware families but also overtook a lot of other metrics that we’re tracking across the threat landscape.
Loader malware types—which is what Emotet is considered to be today—are the most prevalent types of malware that we’re seeing. Similarly, top delivery mechanisms were completely dominated by Emotet campaigns. We saw a ton of Office macro laden documents used to deploy malware loads, as well as a lot of malicious PowerShell scripts and Microsoft HTA files. Emotet uses all these delivery mechanisms, or at least did in the last quarter.
Another key trend is that, when it comes to top-level domains, “.com” is by far the most common identified across any URL that’s leveraged in a phishing campaign. And this isn’t at all a surprise. “.com” URLs are the most recognizable and least likely to raise questions with an audience that isn’t as technically literate or technically involved personally.
But, more notably, we’re seeing a ton of abuse of legitimate websites—especially those used for collaboration and file sharing. So, we’re talking Google Docs, OneDrive, and SharePoint. These are leveraged with great frequency—especially for hosting credential phishing pages.
The problem is, it’s tough for businesses to block access to those sites that are relied upon for business operations and collaboration. And it’s also incredibly easy both in terms of cost and labor to just move to a different page once a URL has been found out to be malicious. It’s very easy, and quick to do, so we see that used a lot.
And finally, in terms of phishing themes, we’ve seen a lot of campaigns leveraging the conflict in Ukraine as well as the US tax season. In the U.S., we recently had our Tax Day, and in the lead up to that, we saw a number of campaigns targeting U.S. users, spoofing the IRS, and creating phishing templates that are tax themed.
As you said, last quarter saw Emotet reaching new highs since its re-emergence at the end of 2021. How has Emotet evolved its approach and TTPs, and how can we expect it to evolve as time goes on?
Emotet is very successful, and we do see it evolve pretty consistently as well as return to previous use tactics.
Q4 last year, we saw Emotet return for the first time since the coordinated takedown of the botnet and the arrest of multiple key operators in January 2021. In Q1 this year, we saw its activity ramp up substantially, and on some days, we definitely reached what we would describe as full operational capacity in terms of the volume and dissemination of Emotet campaigns.
One thing that’s fairly consistent over the last few years is that we see Emotet campaigns leveraging reply chain tactics—so, they’ll take over a compromised email account, find an email that’s quite old, and create a reply based on an old template, which will make it appear very legitimate.
And as I mentioned, when they re-emerged, we saw that phishing emails primarily used macro laden Excel files to deliver payloads. But in March this year, we saw Emotet reinstate a delivery method that they’d used previously but hadn’t for quite some time. That is, providing embedded URLs that then linked to downloadable malicious documents, rather than directly attaching those documents to emails. And actually, as of late April, Emotet campaigns have started using LNK files to deliver payloads as well.
Their ability to adapt and to try new methods and delivery indicates that there are either a lot of resources behind them or a large number of operators—or both. But there’s the time, availability, and talent behind this botnet to continue at this level and to evolve at the pace that we’re seeing.
With that, we can expect the tactics, techniques, and procedures—or TTPs—to continue to evolve. It’s a cat and mouse game where, as word gets out and people buffer their defenses to counter how Emotet is deploying, they will then tweak it enough to yield success. And we are seeing firsthand that these campaigns are reaching users’ inboxes.
One of the trends in the report centers around the current conflict in Ukraine and the uptick that that has caused in scam-based phishing emails. Can you tell us more about how these attacks work and whether we can expect to see them evolve throughout 2022?
There have been a lot of surprises to me around phishing related to the Ukraine-Russia conflict.
I expected we would see far more sophisticated APT-level activity that was more destructive than we’ve seen, but most of the phishing that we’ve seen has been lower level than expected. Especially because of the global interest and impact of this event, I’ve been surprised that we haven’t seen more weaponizing of the theme in general.
Initially, we saw a lot of scam-based emails, where some threat actors were posing as humanitarian organizations soliciting donations. We also saw some credential phishing campaigns, often targeting cryptocurrency wallets as part of a sanction-warning scheme where they’d say: “Hey, can you log in so we can verify your account and ensure you’re not in violation of Russian sanctions.”
That said, toward the end of last quarter we did start seeing malware campaigns delivered by Ukraine-themed phishing campaigns. We saw a number of different malware families delivered with these types of themes. So, that’s notable. It’s a slight uptick but, overall, still low volume.
I think we’ll see a continuation at this low level. Threat actors pay attention to headlines that are likely to be of interest to their targets. But there are still so many unknowns and variables around how this conflict will evolve.
We’ll be watching very closely.
Ransomware has been a hot topic over the past few years, with the impact of the Colonial Pipeline and now the Conti gang leaks. Are these leaks more of a help to security teams or a hindrance, with copycat gangs looking to emulate the group’s tactics?
It’s definitely both. And only time will tell.
These leaks shed a lot of light and were very helpful for us to understand the goings-on, the makeup of these gangs, what they’re worried about, what their objectives are, and what their motivations are. And that’s really useful information.
But, on the other hand, these leaks could demystify the gang’s activities and convince others to think: “Oh hey, I could do this!” This could make ransomware operations seem more accessible to other potential threat actors and motivate them to enter the landscape.
The leaks could also help other ransomware groups to see where their gaps are or where they can make improvements, and also really enhance their operational security. A lot of threat actors probably noted that the leak was preventable and might implement stricter operational security plans and procedures to make it less likely that we can gain these kinds of leaks and insights in the future.
In response to these key trends and challenges facing the threat landscape, how would you recommend that organizations can best keep their systems and users safe?
Keeping systems and users safe must be a mix of technology and people. And that’s exactly what we focus on at Cofense.
I think there are four things that organizations need to help defend against this evolving landscape—depending on how mature of an organization you are in terms of resourcing and consuming threat intelligence.
First and foremost is an educated workforce that understands today’s phishing threats and what they look like. Second, they need to have a way to report suspicious email campaigns to their company’s security teams; so that you as an organization can very quickly know that your users are getting targeted, and take the steps needed to identify and remove phishing campaigns—that’s the third thing.
Finally, if you are a more mature, enterprise-level organization that has the technical maturity to consume and action on threat intelligence, it’s really important to understand how the threat landscape is evolving and the key ways that threat actors are yielding success in getting into your users’ inboxes.
So, you need a workforce that’s ready to identify campaigns and able to report them, a way to address these campaigns, and to constantly have some kind of intelligence as to what threats are likely to reach your organization and how.
Thanks to Mollie MacDougall for taking part in this interview. To access Cofense’s Q1 Phishing Intelligence Trends Review, the report is available for download via the Cofense website.
Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions with confidence.