How phishing attacks are evolving and why you should care

Cybercriminal gangs and nation-state threat actors continue to evolve their phishing attack techniques, experimenting with different lures, adopting new social engineering tricks, and devising new ways to avoid detection in 2021.

According to the annual Microsoft Digital Defense Report, threat actors, focused on malware attacks to harvest people’s credentials in the past, have recently shifted their focus to phishing attacks (~70%). Experts observed threat actors sending out emails imitating top brands like Microsoft, UPS, Amazon, Apple, and Zoom.

The ENISA Threat Landscape 2020 report states that cyberattacks are becoming more sophisticated, targeted, widespread, and undetected.

While malware stands strong as the #1 cyber threat in the EU, experts observed a significant increase in phishing, identity theft, and ransomware attacks in 2020.

Top 15 Cyber threats
Image by ENISA: Cyberattacks becoming more sophisticated, targeted, widespread and undetected

Here are some interesting findings from the ENISA report related to phishing campaigns monitored in the last twelve months:

  • Losses of €26.2 billion in 2019 with Business E-mail Compromise (BEC) attacks
  • 42.8% of all malicious attachments were Microsoft Office documents
  • 667% increase in phishing scams in just 1 month during the COVID-19 pandemic
  • 30% of phishing messages were delivered on Mondays
  • 32.5% of all e-mails used the keyword ‘payment’ in the e-mail subject

A constantly evolving threat

Security firms warn that attackers are rapidly evolving to evade detection.

The majority of phishing attempts today are “polymorphic” in nature.

This means that attackers make slight and often random changes to an email’s artefacts (i.e. template, content, subject, sender name, domains). The morphing allows them to make phishing attacks difficult to detect for signature-based email defence solutions.

Polymorphic phishing attacks are not new, however. Experts began observing them since at least 2016. The first attacks only changed the embedded URLs pointing to their landing pages that were only deployed for a few hours. These URLs were difficult to label as malicious by automated scanning and blacklisting software due to their short lifespan. Making continuous changes to the URLs allowed attackers to avoid detection.

While phishing detection tools were becoming more effective in implementing new detection capabilities, attackers started variating an increasing number of components in the message to avoid them. Threat actors also changed their tactics by sending only a small number of messages to avoid creating “noise” that could be easily detected by email filters.

Today, phishing attacks are becoming much more targeted.

Once a bad actor has obtained the credentials of an employee within an organization, they will use them to target colleagues in surgical and polymorphic operations.

Another trick employed by threat actors behind phishing campaigns is the use of HTTPS sites. According to ENISA, more than two-thirds (74%) of phishing sites adopted HTTPS in Q4 2020. The experts at ENISA pointed out that the presence of a lock icon at the browser’s address bar may trick victims into thinking that the messages are sent from a trusted website. In some cases, threat actors also use legitimate sites that have been hacked to host phishing pages, making it hard to detect malicious activity.

“Other factors contributing to the steep rise in HTTPS usage are the plethora of free certificate services such as Let’s Encrypt and the fact that modern browsers mark every HTTPS site as secure, without any further checks.”

states the ENISA report.

Phishing-as-a-service on the rise

Security experts also warn of the rise of Phishing-as-a-Service (PaaS) in the cybercrime underground.

Crooks can pay for phishing kits that can be accessed by subscribing to such services. A security researcher identified over 5,334 unique phishing kits by June 2019 that were offered for a price ranging from $50 to $80 for a monthly subscription. Most of the kits (87%) included evasion mechanisms such as HTML character encoding and content encryption. Some of these services were hosted on legitimate cloud services with proper domain name system (DNS) names and certificates.

During the past months, security firms spotted multiple creative phishing techniques to avoid detection.

In November 2020, researchers at WMC Global have spotted a new creative Office 365 phishing campaign that has been inverting images used as backgrounds for landing pages to avoid getting flagged as malicious by security solutions that scan the web for phishing sites.

The bot avoidance mechanism has been deployed on multiple phishing websites designed to steal Office 365 credentials.

WMC Global researchers observed this technique implemented in a phishing kit developed by a threat actor that was selling it to multiple users.

“Because image recognition software is improving and becoming more accurate, this new technique aims to deceive scanning engines by inverting the colours of the image, causing the image hash to differ from the original. This technique can hinder the software’s ability to flag this image altogether.”

reads the analysis published by WMC Global.
Microsoft Office 365 login page
Inverted background

The phishing kit that uses this trick automatically reverts the backgrounds using Cascading Style Sheets (CSS) to make them look just like the backgrounds of legitimate Office 365 login pages.

While phishing detection web crawlers are served the inverted image, the potential victims are redirected to one of these phishing landing pages that will see the original background instead of the inverted one.

Innovative phishing techniques

Recently, experts also observed other phishing campaigns aimed at Office 365 users that were using innovative techniques, such as leveraging public cloud services to host the phishing landing pages.

Another innovative technique observed by the researchers targeting Office 365 users leverages both cloud services from Oracle and Amazon for their infrastructure. The threat actors used compromised accounts to send out phishing messages and used Amazon Web Services (AWS) and Oracle Cloud in the redirect chain.

“Once the link was clicked, the user is redirected through several proxies, including AWS load balancers, all the way to a legitimate but compromised website.”

Ofir Rozmann, threat intelligence at Mitiga told Bleeping Computer

Before the victims land on the final landing page, they are redirected through several proxies, including AWS load balancers. Most of the fake Office 365 login pages were hosted on the Oracle Cloud computing service, but experts also observed the use of the Amazon Simple Storage Service.

Mitiga researchers discovered more than 40 compromised websites that were used in this Office 365 phishing campaign. The analysis of the HTML code for the fake Office 365 pages suggests that attackers opted for a PaaS kit.

In November 2020, Microsoft tracked an ongoing Office 365 phishing campaign that was targeting enterprises. The threat actors behind the campaign leveraged redirector URLs with the capability to detect incoming connections from sandbox environments.

Upon detecting connections for sandboxes, the redirector would redirect them to legitimate sites to evade detection, while connections from real potential victims were redirected to phishing pages.

In August, researchers from Malwarebytes analyzed a new evasive phishing technique used by attackers in the wild in Magecart attacks. The hackers targeted visitors of several websites by using typo-squatted domain names, and modified favicons to inject software skimmers used to steal payment card information.

The technique is known as homoglyph attack, it was involved in phishing scams with IDN homograph attacks. “The idea is simple and consists of using characters that look the same in order to dupe users,” reads the analysis published by Malwarebytes researchers.

“Sometimes the characters are from a different language set or simply capitalizing the letter ‘i’ to make it appear like a lowercase ‘l’.”

The internationalized domain name (IDN) homograph attack technique has been used by the Magecart group on multiple domains to load the Inter software skimmer inside a favicon file.

The visual trick leverages the similarities of character scripts to register fraudulent domains that appear similar to legitimate ones, then attackers trick victims into visiting them.

While analyzing homoglyph attacks, experts also found legitimate websites (e.g., “”) that were compromised and injected with an innocuous loader for an icon file that loaded a copycat version of the favicon from the typo-squatted domain (“cigarpaqe[.]com”).

This favicon loaded from the homoglyph domain allowed the attackers to inject the Inter JavaScript skimmer.

Homoglyph example

Experts noticed that one of the fraudulent domains (“”) involved in this type of attack has been previously tied to Magecart Group 8, the crew that was behind the attacks on NutriBullet, and MyPillow.

How to prevent sophisticated phishing attacks?

Here are a few suggestions for organizations looking to mitigate phishing attacks:

  • Train employees to identify a malicious email. Simulated phishing campaigns could allow organisations to test the resilience and responsiveness of the staff.
  • Use a secure e-mail gateway with regular (possibly automated) maintenance of filters (anti-spam, anti-malware, policy-based filtering).
  • Deploy defence solutions that use machine-learning techniques to identify phishing sites in real-time.
  • Disable automatic execution of code, macros, rendering of graphics and preloading mailed links at the mail clients and update them frequently.
  • Implement SPF (Sender Policy Framework), DMARC (Domain-based Message Authentication, Reporting & Conformance), and DKIM (Domain Keys Identified Mail) to identify spam.
  • Implement anomaly detection at the network level for both inbound and outbound e-mails.
  • Check the domain name of the websites you visit for typos, especially for sensitive websites, e.g. bank sites. Relying on the HTTPS connection is not enough.
  • Enable two-factor authentication (2FA) whenever applicable to prevent account takeovers.

Build your secure personal and business online presence