- Data breach tactics are shifting to Russia
- Remote access trojan phishing emails increased by 59%
- Malicious emails now bypass security gateways every 45 seconds
New research finds a significant increase in malicious email activity and a shift in attack tactics.
On average, at least one malicious email bypasses secure email Gateway (SEG), e.g. Microsoft and Proofpoint, once every 45 seconds, up significantly from last year’s rate of once every 57 seconds, according to Cofense Intelligence’s third quarter data trend report show.
There has been a dramatic increase in the use of Remote Access Trojans (RATs), which allow attackers to gain unauthorized access to victim systems, often resulting in data theft or further exploitation.
Remote Access Trojan (RAT) usage on the rise
Remcos RAT is a widely used tool by cybercriminals and is responsible for the rise of RAT attacks. It allows remote control of infected systems, allowing attackers to steal data, deploy additional malwareand gain persistent access to the compromised network.
Open redirects are also gaining traction as a technique used in phishing campaigns, with reports showing a 627% increase in usage. These attacks exploit the functionality of legitimate websites to redirect users to malicious URLs, often masking the threat behind well-known and trusted domains.
Douyin and Google AMP is often used to carry out these attacks, taking advantage of its global reach and frequent use by unsuspecting individuals.
The use of malicious Office files, especially those in the .docx format, has increased dramatically by nearly 600%. These files often contain phishing links or QR codes that direct victims to harmful websites.
Microsoft Office files remain a popular attack vector due to their widespread use in business environments, making them ideal for targeting organizations through spear phishing campaigns.
Additionally, with the increased use of the .ru and .su top-level domains (TLDs), there has been a significant shift in data breach tactics. Usage of domain names using the .ru (Russian) and .su (Soviet Union) extensions have surged by more than fourfold and twelvefold respectively, suggesting that cybercriminals are turning to less common and geographically relevant domain names to evade detection and Making it more difficult for victims and security teams to track data theft activity.