These attacks are increasingly used to overwhelm SOC teams.
There has been a rise in bulk ‘commodity’ phishing attacks by 2700 percent in the last quarter.
Speaking at the launch of a new phishing report this week, Jack Chapman, SVP of Threat Intelligence at Egress, a KnowBe4 company, said the sophistication of these attacks continues to increase.
“When we see a lot of firehose style, bad attacks, these [are intended] to overwhelm a SOC team,” Chapman said. “One or two spear-phishing attacks go under the radar, and then we’ve seen two actual phishing attacks against two very specific people.
“From a volume basis, it comes in waves and rather than being in a consistent basis.” Chapman explained that a business may usually receive a thousand phishing attack in a month, but that can go up to 20,000 in a week, and he explained that this is intended to “volumetrically overwhelm.”
Using the Breach
Chapman also explained that attackers use email addresses from data breach lists, and will send an test email to check if the account is live, by looking for bouncebacks and using click tracking.
Asked by SC UK that if there are multiple attacks being sent from the same domain, why are they not blocked, Chapman said more commodity attacks are defeating traditional security.
“This is one of the issues that attackers have overcome, as an attack is never intended to send from that address, and once it is sent they have burnt it and it is never used again, and this is where the compromised accounts piece comes in so strongly as it costs a couple of quid for a thousand addresses,” he said.
Compromised Accounts
The research found 44 percent of phishing emails were sent from compromised accounts, helping them bypass authentication protocols.
The report also found that there had been a 28 percent increase in phishing emails sent Q2 of 2024, versus what was sent in Q1, and 89 percent of phishing emails involve impersonation, with Adobe the most impersonated brand, followed by Microsoft.
The most targeted employees were new hires with a tenure of two to seven weeks, who typically receive emails pretending to be training or on-boarding materials, and with instructions to scan a QR code to be taken to mobile-based content.
Written by
Dan Raywood
Senior Editor
SC Media UK
Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.
Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.
