Quarterly Report

Tactical Threat Intelligence Report (Updated for Q1 2024)

This quarterly report offers a comprehensive overview on the phishing landscape during the latest business quarter. It highlights tactics, techniques and procedures employed by threat actors.

Table of contents

About the author
Hoxhunt's Threat Operations Team

Hoxhunt’s Threat Operations team consists of threat analysts and data scientists tasked with processing threat data reported to Hoxhunt.

share this guide

Executive Summary​

The Tactical Threat Intelligence Report offers a comprehensive, quarterly overview of the phishing landscape using first-party and third-party threat data.​ Each report reveals insights into the most relevant tactics, techniques, and procedures employed by threat actors in the latest quarter.​​

For example, the Q1 2024 report reveals that the most commonly used attachment types are .pdf and .html files, often with clickable links leading to further harmful payloads, .eml files that embed a malicious email within a non-malicious one to avoid detection by spam filters, macro-embedded files designed to trick users into executing harmful scripts, and compressed files like ZIP or RAR that can hide malware, evading detection until extracted.​​

This report features two case studies related to supply chain risk, based on real phishing campaigns identified in the Hoxhunt network:

  1. The first case study covers Request for Supply (RFS) attacks, a type of phishing where malicious actors impersonate legitimate companies, like Pfizer or Unilever, to solicit specific parts or vendor registration.
  2. The second case study examines real-life consequences of SaaS vulnerabilities, with Meta impersonation phishing emails sent from a Salesforce domain.

In general, supply chain attacks provide significant leverage for threat actors, as a single breached company or SaaS system can offer access to multiple suppliers and customers.​​

Finally, the Q1 2024 report explains a popular social engineering tactic where threat actors pose as banks sending out warnings about phishing (talk about phishing-ception). These campaigns often have very convincing landing pages, making it more likely for the victim to believe they are really communicating with their bank.​

About the authors

Hoxhunt is the leading platform for human cyber-risk management, offering security awareness & phishing training solutions. Our solution goes beyond security awareness to drive behavior change and measurably lower human cyber-risk. Combining AI and behavioral science, we create individualized training moments people love. ​

Hoxhunt trains employees to report suspicious emails using a Hoxhunt button embedded within the email client itself.

During Q1 2024, around one million email threats were reported by our end users, averaging almost 10,000 reports per day. Because our end users manually report the emails, our data only consists of threats that have managed to bypass email spam filters.

This data is analyzed by Hoxhunt's Threat Operations team, a group of threat analysts and data scientists tasked with processing threat data and combining it with other data sources to create actionable intelligence.​

Security Awareness News

In the first quarter of 2024, the threat landscape was significantly impacted by two main factors: the increasing use of AI in attacks and the prevalence of attacks originating from compromised email accounts.

Email remains the most popular way to deliver malware (1) so it's vital for organizations and their employees to stay alert.​

Attackers exploit compromised or hijacked email domains to bypass email filters, and to make the emails seem more legitimate compared to those sent from free email services. The tactics employed to infiltrate email accounts and take control of domains range from direct account breaches to sophisticated domain hijacking efforts. A notable instance is the SubdoMailing spam campaign, active since September 2022, which utilized CNAME records linked to dormant domains to take over more than 8,000 domains and 13,000 subdomains belonging to legitimate businesses (2). ​

As deepfakes get more convincing and AI technologies get more accessible, they become more lucrative options for threat actors – social engineering attempts can become harder to detect while AI-as-a-service for threat actors is a looming possibility (3). Perhaps the most startling example of deepfakes used in social engineering is that of a finance worker in Hong Kong paying out $25 million after the worker was invited to a video call with his “coworkers” and “CFO” – all of whom were deepfake creations (4).

The best methods for organizations to protect themselves from phishing attacks are still investing in employee training and awareness about phishing techniques and social engineering tactics, effective email filters, and always requiring multi-factor authentication (5). As for deepfakes, AI detection technologies and security solutions can be a useful tool to invest in (6). However, if they are not accessible, a good idea is to always double check a request through a different communication channel.

Supply Chain Risk

Understanding Supply Chain Vulnerabilities

In 2024, global cyber security is expected to skyrocket. While many organizations are strengthening their cybersecurity measures, others are falling behind (7).

Small-to-medium businesses are especially targeted, which is not alarming only for these companies, but also for the wider ecosystem they are a part of. A big reason why SMBs are specifically targeted are their established connections to larger enterprises (8).​​

Through SMBs threat actors can have a better shot at gaining access to larger enterprises that have more cybersecurity resources available. A phishing email or a Teams message from the compromised account of a trusted vendor or supplier means the attackers can orchestrate more convincing social engineering campaigns than if they would make first contact through an unknown email. SMBs might also lack in cybersecurity resources and strong security measures.​

A lucrative way for threat actors to gain access to multiple companies at once is infiltrating SaaS systems. According to Security Week, most supply chain attacks target the software supply chain (9). Organizations have many different SaaS subscriptions for different purposes, and often these are purchased with little risk assessment (10). The more SaaS systems there are, the more third parties the organization is tied to. The more complex the supply chain, the harder it can be to detect vulnerabilities.

Supply chain risk can also originate from open-source supply chain vulnerabilities (11), such as the recent case of a threat actor infiltrating the XZ Utils open-source community to insert a backdoor that allows remote code execution (12).

​In the last year, 80% of the Akira ransomware group's victims have been SMBs (8).​

Mitigating Supply Chain Attacks​

According to Bleeping Computer, 98% of cyberattacks start with some form of social engineering (8). SMBs can mitigate their risks by investing in awareness training or, even with a lack of resources, making sure they have implemented additional security measures that are simple yet effective, such as multi-factor authentication.

As for the organizations targeted via phishing emails sent from compromised emails or through SaaS systems, an important way to mitigate threats is to understand the supply chain and “SaaS footprint” (13) from a cybersecurity perspective. To further mitigate risks, suppliers and service providers should be continuously monitored and assessed for their data privacy compliance and preparedness to handle cyber threats, and their suppliers, the so-called fourth party risk, should be considered as well (9).

__wf_reserved_inherit

Supply chain risks are also tied to geopolitical tensions – supply chain attacks can target critical infrastructure where any disruption can have a big effect on the economy (14). Therefore, organizations should be aware of their position in the global political economy to understand when, how and why they might become a target for these types of attacks (14).

Case study: Request for Supply attacks​

For companies in the manufacturing industry, requests for supply or quotation are commonplace. These requests can also pose significant risk to companies, as malicious actors can use them in attacks.​

Request for Supply (RFS) attacks are a type of phishing attack where the malicious actor impersonates a legitimate company to request the target to supply them with a specific part or to register as a vendor. During the first quarter of 2024, we’ve seen a variety of different entities being impersonated in these attacks, such as Unilever, Pfizer, Aramco and Vattenfall. Although the companies being impersonated vary, there are similarities between the emails, such as the communication addresses being look-a-like impersonations of the company domain (Unileverrequesting.com, pfizermanufacturing-nv.com). ​

Step 1: Reconnaissance – research and targeting​

According to our data,  almost 60% of the email we've seen in this campaign have been sent to companies in the construction and manufacturing industry. This shows that the campaign specifically targets companies such request would be relevant to. Which makes the emails more believable. The recipient might not think twice about the email, since it appears legitimate and doesn’t have anything outright malicious in it.​​

Step 2: Establishing contact – the phishing email​

The attacker reaches out to the target using an email, posing as a representative of a company looking to procure goods, and requests detailed information about products or services. These may include pricing, technical specifications, or even samples of the product. In cases involving information, they might ask for reports, data sheets, or research that could contain sensitive or proprietary information.​

__wf_reserved_inherit

Step 3: Execution – the human interaction

​If the target company representative is convinced by the email, they’ll attempt to interact with the email, which can include responding to the sender, or downloading possible attachments.​

Most of these emails request the recipient to respond to it and confirm their interest in supplying the fraudulent project. Many of the emails in this campaign mention payment upon delivery, so it's likely the malicious actors would take the supplied parts and disappear without paying. Other angles we've previously seen include forms for the recipient to fill, and attachments with malware.​

Step 4: Consequences – the aftermath​

The consequences for this kind of a campaign can include financial loss, operational disruption, data breach, and loss of intellectual property. The specific impact depends on the attacker’s objectives and how the targeted users engage with them.

For instance, manufacturing companies, which operate within extensive process chains, are particularly vulnerable. Disruptions in any segment of their operations can lead to significant financial damage. This is due to long process chains, where disruptions or delays in one area can cascade through the entire production line.

Additionally, the theft of intellectual property can erode competitive advantages, leading to long-term revenue losses and potentially jeopardize the company’s market position. ​

__wf_reserved_inherit
The first page of an attachment used in this campaign. It specifies the requested part, and conditions for the submissions.

Case study:​ Meta phishing via compromised Salesforce accounts​

A core part of supply-chain based threats is utilising compromised infrastructure. Attackers can use legitimate infrastructure to send or host malicious content. Services such as Salesforce allow you to send emails using their email infrastructure, and the message appears to come from them, without visibly showing which Salesforce account it originated from. Malicious actors utilise this technique to add legitimacy to phishing emails, as the sender  address will always be noreply@salesforce.com. This is also the email address regular salesforce notifications come from.​

We’ve identified a Meta impersonation campaign that utilises this technique to deliver Meta-related phishing emails.

Step 1: Reconnaissance – research and targeting

​According to our data, the campaign is mainly targeted at employees in marketing-adjacent positions. The targeting is to make the campaign more relevant for the recipient. As marketing is usually the department in charge of running the social media accounts of a company, a person in a marketing adjacent role would be much more likely to interact with an email related to social media. ​​

Step 2: Establishing contact – the phishing email​

After reconnaissance, the attacker sends a phishing message. There are a few different themes being used such as the account has violated community guidelines, the advertising terms of service have been updated and the account doesn’t comply, or the account has been found to artificially boost likes for marketing purposes. All of them create a scenario where the recipient must take quick action to avoid the account being restricted.​​ ‍​​

__wf_reserved_inherit

Step 3: Execution – the human interaction

​​If the recipient does interact with the email, they are taken to a fake Meta landing page with an appeal form.  The form requires account-related information to be filled in, such as business email, page name, owner of the page, email address, and phone number. After submitting the information, a prompt appears asking for the account’s password, and sometimes MFA code.  The landing page is crafted to appear as close to its legitimate counterpart as possible, as to not raise suspicion. The final part of the lander includes a lengthy loading bar, likely intended to keep the recipient waiting for as long as possible while the malicious actor utilises the information. ​

__wf_reserved_inherit

Step 4: Consequences – the aftermath

​​The main consequence is losing access to the company Facebook account. The malicious actor can use the established account for various purposes, such as impersonating the company, sending phishing links to followers, run fake ads, and steal marketing data. They can also demand a ransom for the account.

The reputational losses from this campaign can be significant. If the company is seen as a trusted entity, the followers are highly likely to fall for any malicious content the malicious actor posts.

The recent SEC account compromise highlights this: the US financial regulator X.com account was compromised and used to send a fraudulent tweet about a new regulation being passed, which caused the price of Bitcoin to spike (15). There have also been cases where compromised accounts from well-known brands like Mandiant (16), Netgear (17) and Certik (18) have been used to host crypto-drainers, which can cause significant financial damage to those affected.​

__wf_reserved_inherit
Pictures of the look-a-like website used in the campaign. The form also requests unrelated information to appear less suspicious.

Tactics, Techniques, and Procedures

In the first quarter of 2024​:
- PDF is the most common attachment type used in phishing emails​
- Gmail is the most popular free sender domain used by malicious actors
- ​.com is the most popular TLD phishing emails originate from​
- English is by far the most common language used in phishing emails globally​

During Q1 2024, around one million email threats were reported by our end users, averaging almost 10,000 reports per day.  The Tactics, Techniques, and Procedures section gives an overview of some of the statistics we've identified from the data.

This includes the following:​

  • Most popular file extensions used in phishing emails​
  • Most popular free sender domains used by malicious actors​
  • Most popular TLDs (Top Level Domains) used in phishing campaigns​
  • Most popular languages used in phishing​
  • Most common third-party services misused for phishing purposes​​

File extensions used as malicious attachments

​According to our data, .pdf attachments are the most common malicious attachment type. Almost 90% of all malicious attachments are pdf files. This is followed by .html files, which make up for a bit over 5% of all malicious attachments. Both filetypes often include a clickable image or link within the file, which leads to a further payload. ​

.eml files are the third most common file type, and they are often used to deliver malicious messages through spam filters. They work by sending a message without anything suspicious in it, which has another email attached to it as an .eml file. The attached email contains the malicious content. ​

Files with embedded macros are the fourth most common file type. The goal is to social engineer the recipient into enabling the macros, which are small programs or scripts. The macro can execute a variety of different actions such as downloading and executing malware or stealing sensitive information.​

The fifth most common file type is compressed files, such as ZIP or RAR archives. The payload is compressed and encrypted within the archive, which allows it to evade detection. Upon extraction, the compressed file may contain malware such as ransomware, trojans, or spyware.

__wf_reserved_inherit

Most popular free sender domains​

Free web-based email services located in the US remain the most common free sender domains utilized in phishing campaigns.  Almost 15% of all phishing campaigns originate from gmail.com, which is a significant increase from the 6% it was in Q4 2023. Gmail is then followed by other large service providers such as Outlook, Hotmail and iCloud. The bottom of the list is formed by smaller domestic email services such as Russian-based mail.ru and German gmx.net.​​

__wf_reserved_inherit

Most popular Top-Level Domains​

Related to the above statistic on free sender domains, .com remains the most common TLD phishing campaigns are originating from. Almost 60% of all phishing campaigns originated from .com addresses in Q1 2024. This is followed by .jp, which is partly caused compromised email accounts – these are often used to send phishing emails.

__wf_reserved_inherit

Most popular languages‍​​

English remains the most common language used in phishing campaigns. Over 60% of all malicious threats seen in the Hoxhunt network in Q4 were in English. This is followed by German, French and Dutch, which were each seen in less than 10% of all malicious threats.​​

__wf_reserved_inherit

Most common third-party services misused

​Third party services are often used by malicious actors to host malicious content, or to redirect the targets to malicious websites, because they appear legitimate to filters. Services provided by Adobe, Google and Cloudflare are among the most commonly misused to host malicious content. Two marketing services, Constant Contact and Double Click, are the most common services used to create redirect links to malicious websites. Marketing services are used for redirection links, because they mask the real link and redirect traffic through the service.​​

__wf_reserved_inherit

Emerging trend: Security alerts

In the beginning of 2024, we started noticing a trend where phishing emails are warning the recipient about unusual activity and phishing – a sort of phish-ception, really.

The emails claim that there has been unusual activity on the recipient's bank account, and that the account might have been compromised. To check the activity, the recipient is urged to log in by clicking the malicious link provided in the email.

The threat actors are leveraging the trust in the financial authority as well as trust and urgency to trick the user into clicking the link.

Phishing emails posing as trusted entities such as banks can have severe consequences. In the US, such impersonations resulted in losses surpassing $1.1 billion in 2023 alone. The Federal Trade Commission (FTC) reports a continual uptick in email-based impersonations for the third year in a row (19)​​.

Read our blog post about the trending tactic.​

__wf_reserved_inherit

Emerging tactic: Cloned landing pages

Many of the bank security alert phishes have a link that leads to a very convincing landing page.  A convincing landing page makes it more likely that the victim will believe they are really communicating with their bank.

​In this example, the only major differences between the real bank login page and the fake one are the domains – nordea.com for the real one and nordea-customerservice.net for the fake one – as well as the fake login page not having the randomly generated four-digit login ID.​​

The login identifier is an added safety mechanism implemented so that the customer can verify the legitimacy of the login on the device they use for identification.​

__wf_reserved_inherit

Thank you

We invite you to share your thoughts and insights on the evolving threat landscape. Your perspective is invaluable in enhancing our collective understanding and preparedness!​

For further discussion or to learn more, please contact the Threat Operations team at threat.ops@hoxhunt.com.​

For past versions of the Tactical Threat Intelligence Report, please see below: