Innovation in cybercrime in the post-pandemic era

As COVID-19-related medical and economic measures have eased, attackers have had to reinvent themselves to find new ways to make money, honing their social engineering skills, commodifying once-sophisticated attacking techniques, and creatively seeking new opportunities in unexpected. In 2022, the cyber-attack landscape has witnessed significant developments in various domains, ranging from targeted and cloud brute-force attacks to conversational smishing to the proliferation of multi-factor authentication (MFA) bypass techniques. “Microsoft 365 makes up a significant percentage of organizations' typical attack surface. Widespread abuse of this platform, from Office macros to OneNote documents, continues to shape the broad outlines of the threat landscape,” said Ryan Kalember, EVP, Proofpoint's cybersecurity strategy.

The decay of Office macros and the rise of new threats

Office macros, after nearly three decades of use as a malware distribution method, have started to decline following updates from Microsoft. This has triggered a series of attempts by cyber attackers to look for alternative techniques to compromise targets. Meanwhile, threats such as conversational smishing and so-called "pig butchering threats" - attacks that start with seemingly harmless messages - have seen a dramatic increase, becoming the fastest growing mobile threat. Telephone Call-In Attacks (TOAD) have peaked at 13 million messages per month, with state-sponsored Advanced Persistent Threat Actors (APTs) investing time exchanging benign messages with their targets to build rapport over the course of of weeks and months.

Phishing kits and cloud threats

MFA bypass frameworks, such as EvilProxy, Evilginx2, and NakedPages, were responsible for over a million phishing scams per month. Organizations have often been the target of threats from cloud giants like Microsoft and Amazon, whose infrastructure hosts countless legitimate services that organizations rely on. The threat actor behind SocGholish, TA569, exploited an innovative distribution method involving drive-by downloads and fake browser updates to infect websites and trick victims into downloading malware. Many times, sites hosting SocGholish are not even aware of the presence of the malware, facilitating its spread.

The threat landscape in the post-pandemic era

Despite the high volume of messages sent - over 25 million in 2022 - Emotet's activity has been intermittent, with the group showing signs of apathy in adapting to the post-pandemic threat landscape. While financially motivated crimes dominate the post-pandemic threat landscape, a single attack from a persistent advanced threat actor (APT) can have a massive impact. One example of this was a large campaign by TA471, a Russia-aligned APT group that engages in both corporate and government espionage. TA416, a Chinese state-aligned APT actor, has been among the most active, with significant new campaigns launched to coincide with the start of the Russian-Ukrainian war, targeting European diplomatic entities involved in refugee and migrant services .