Full Report
The cyber security firm reported in its latest annual report that their researchers found more than 30.4 million phishing emails last year.
Analysis Summary
# Incident Report: Widespread Phishing Exploitation Leveraging Trusted Enterprise Domains in 2024
## Executive Summary
Cybercriminals heavily relied on phishing in 2024, detecting over 30.4 million phishing emails. The primary tactic involved exploiting trusted enterprise domains (like SharePoint, Zoom Docs, Dropbox) to embed malicious links or sender addresses, resulting in 96% of detected phishing attacks utilizing legitimate domains to bypass security controls. This trend highlights a significant shift towards identity-based social engineering, often preceding ransomware operations that utilize legitimate enterprise software for C2 and data exfiltration.
## Incident Details
- Discovery Date: Throughout 2024 (as reported in the Annual Threat Report released February 2025)
- Incident Date: Throughout 2024
- Affected Organization: Various organizations across multiple sectors (Implied, based on Darktrace reporting)
- Sector: Cross-Industry / General Business
- Geography: Not specified
## Timeline of Events
### Initial Access
- Date/Time: Consistent throughout 2024
- Vector: Highly targeted spear-phishing emails.
- Details: Attackers embedded links or sender information within legitimate, trusted enterprise services (SharePoint, Dropbox, Zoom Docs, HelloSign, Adobe) or abused compromised third-party partner/vendor email accounts (e.g., Amazon SES).
### Lateral Movement
- *Not explicitly detailed in the scope of the phishing findings, but mentioned in the context of subsequent ransomware activity:* Attackers leveraged legitimate enterprise tools (AnyDesk, Atera) post-compromise for command-and-control (C2) communications.
### Data Exfiltration/Impact
- *Data Exfiltration:* Attackers utilized legitimate cloud storage services for data exfiltration.
- *Impact:* Facilitated ransomware activity (Black Basta, Akira, Qilin, etc.) often employing double extortion techniques involving file transfer technology.
### Detection & Response
- Detection: Detected by Darktrace researchers analyzing over 30.4 million phishing emails across their client base.
- Response Actions: Not individually detailed, but the report implies the need for advanced detection mechanisms beyond traditional security tools to counter domain-spoofing.
## Attack Methodology
- Initial Access: Phishing campaigns using redirects via legitimate services (e.g., Google) to deliver malicious payloads hosted on trusted cloud storage (e.g., Dropbox-hosted PDFs with malicious URLs).
- Persistence: *Not explicitly detailed for phishing phase.* Ransomware groups noted using legitimate tools like AnyDesk/Atera for C2.
- Privilege Escalation: *Not detailed.*
- Defense Evasion: Exploitation of *existing, legitimate enterprise domains* accounted for 96% of attacks, bypassing perimeter security mechanisms that check for newly registered or malicious domains.
- Credential Access: *Implied* via phishing lures, but specific tools were not detailed for this phase of the general phishing trend.
- Discovery: *Not detailed.*
- Lateral Movement: Use of legitimate enterprise software and file-transfer technology by ransomware affiliates.
- Collection: Data collection targeted for exfiltration to cloud storage solutions.
- Exfiltration: Leveraging cloud storage services.
- Impact: Facilitation of widespread ransomware deployment and potential Business Email Compromise (BEC).
## Impact Assessment
- Financial: *Not specified.* Increased risk due to high reliance on Ransomware-as-a-Service (RaaS) and Malware-as-a-Service (MaaS) adoption (MaaS tools up 17% H1 to H2 2024).
- Data Breach: High probability of data exposure given the prevalence of data exfiltration to cloud storage services associated with associated ransomware activity.
- Operational: Significant operational risk due to increased successful ransomware execution utilizing sophisticated evasion techniques.
- Reputational: High risk, especially when trusted vendors or internal systems (SharePoint) are used to deliver payloads.
## Indicators of Compromise
- Network indicators: Exploitation/redirection through trusted legitimate domains (SharePoint, Dropbox, Zoom, Google).
- File indicators: Malicious content embedded within common document formats (e.g., PDFs hosted on Dropbox).
- Behavioral indicators: Increased use of Remote Access Trojans (RATs) (up 34%), and increased use of legitimate remote administration tools for malicious C2.
## Response Actions
- Containment: (Not detailed for this broader trend report).
- Eradication: (Not detailed for this broader trend report).
- Recovery: (Not detailed for this broader trend report).
## Lessons Learned
- **Trusted Identity is the New Frontier:** Attackers have successfully shifted focus from creating new malicious domains to weaponizing the trust inherent in legitimate enterprise platforms.
- **Evasion through Legitimacy:** Traditional domain reputation checks are insufficient when 96% of attacks masquerade as legitimate services.
- **Identity Risk:** Identity remains a primary and expensive vulnerability point for organizations.
## Recommendations
- Implement advanced email security solutions capable of inspecting embedded links and content *within* trusted cloud file shares (e.g., sandboxing documents hosted on SharePoint or Dropbox before execution).
- Enhance security monitoring for anomalies occurring *within* legitimate enterprise software suites (e.g., unusual activity originating from SharePoint links or unauthorized command execution via utilities like AnyDesk).
- Increase security awareness training to specifically address lures originating from supposedly trusted internal or partner domains.
- Prioritize monitoring for the proliferation of RATs and remote access tools utilized for C2.