Microsoft’s review of how phishing has evolved over the last year highlights some of the great lengths attackers will go to in order to avoid being detected as a phishing campaign.
When you think about a phishing campaign, the obvious simple scenario likely comes to mind: an email containing a malicious executable attachment is presented to a user containing some form of social engineering scam to get the user to engage with the attachment.
But most phishing emails that fit the description above are flagged by security solutions well-before the ever see the light of an Inbox. And so, attackers have had to become very crafty, looking for ways to get a seemingly benign email all the way in from of the intended potential victim without triggering any alarms.
According to a Microsoft blog covering some of the innovative ways they’ve seen phishing attacks evolve over the last year, and shared some of the more notable attacks, including:
- Pointing email links to fake google search results that point to attacker-controlled malware-laden websites
- Pointing email links to non-existent pages on an attacker-controlled website so that a custom 404 page is presented that can be used to spoof logon pages for legitimate sites
- Spoofing company-specific Office 365 sign-in pages to look so realistic that users would give the logon page a second thought
These advancements in the way attackers are thinking about phishing to facilitate endpoint infection or credential theft make it necessary for organisations to no longer consider their security solutions as their only line of defense. Users must become the last line of defense, playing a role in organisational security. Through continual Security Awareness Training, users can become familiar with phishing tactics, and be trained to have an “always-suspicious” mindset when interacting with email or the web.
For more on Microsoft’s findings on the latest evolution of phishing, click here.
Free Phishing Security Test
Would your users fall for convincing phishing attacks? Take the first step now and find out before the bad guys do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.
Here’s how it works:
- Immediately start your test for up to 100 users (no need to talk to anyone)
- Select from 20+ languages and customise the phishing test template based on your environment
- Choose the landing page your users see after they click
- Show users which red flags they missed, or a 404 page
- Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
- See how your organisation compares to others in your industry
PS: Don’t like to click on redirected buttons? Cut & Paste this link in your browser: https://info.knowbe4.com/phishing-security-test-partner?partnerid=001a000001lWEoJAAW