Cybercriminals, be they politically motivated hackers or financially motivated gangs, have many options when it comes to the attack surface they look to penetrate: crtiical software vulnerabilities such as those patched in Microsoft Windows and Google Chrome this week, firmware exploits that require access to the target device itself, session cookie two-factor authentication bypass and, by far the most common, route one through the front door by way of your email inbox. Here's what you need to know about a new warning from security analysts about five advanced email attacks.
Every individual and every business, from sole proprietors to global conglomerates, faces the risk of cyberattack. As a newly published analysis from threat intelligence experts at Abnormal Security has warned, understanding that the most direct route to compromise is the preferred option for most all cybercriminals is email is the key to protecting yourself as best you can.
"The potency of these attacks lies in their ability to exploit trust," the Dec. 11 report warned, "whether impersonating known contacts, abusing compromised accounts, or weaponizing trusted platforms, attackers manipulate trust to breach defenses at every stage of an attack."
Abnormal Security analysts looked at real-world examples of email-based attacks that have targeted customers across 2024 and determined that the following five threat types warranted listing as the attack strategies that you need to be prepared for as we fast approach 2025.
Cryptocurrency, with what the report said is "a lack of centralized oversight and the speed of irreversible transactions," facilitates fraud and offers considerable opportunity for exploitation. Less financially experienced individuals are attracted to the esoteric nature of crypto, along with the potential to make big profits, without fully understanding the risk. Combined, the security analysts warned, these characteristics have made cryptocurrency a popular theme for email phishing attacks and as such should be high on the awareness alert list.
File-sharing phishing attacks, are an email threat in which a cybercriminal legitimate file-hosting or e-signature solutions to deceive the victim. "Because popular solutions like Dropbox, ShareFile, and Docusign offer either free registration or no-charge trials, and are API-enabled, any individual (including cybercriminals) can create and send emails at scale via the platform," Abnormal Security warned. As a result, these kind of email attacks, according to Abnormal's own data, saw a 350% increase between June 2023 and June 2024. Threat actors will create malicious messages where the payload isn't a link in the email but rather in a "separate document hosted on a genuine file-hosting service."
Multichannel phishing, meanwhile, can be seen as an evolution of phishing tactics. How so? Well, this kind of attack leverages multiple communication platforms with the end result of manipulating victims more effectively than a single channel can do. "Unlike traditional phishing," the report warned, "which relies exclusively on email, multichannel campaigns initiate contact through email but then steer the conversation to other channels, such as text messages, phone calls, or third-party messaging apps like WhatsApp or Telegram."
Business email compromise attacks are a common, yet hugely costly, social engineering threat that serve to deceive recipients into divulging sensitive information or completing fraudulent financial requests. "Threat actors impersonate trusted partners or authority figures," the Abnormal Security analysts said, "allowing them to capitalize on the implicit trust within the relationship." The BEC threat, however, has evolved thanks largely to the evolution of another technology: AI. "By analyzing vast volumes of data from social media, online activity, and past interactions," Abnormal warned, "AI-powered platforms can generate hyper-personalized messages that convincingly mimic the writing style of the impersonated individual."
And finally, the Abnormal Security report warned about the threat of email account takeover which is sagely said could be the most dangerous email threat we face. "It can be initiated using various methods," the researchers warned, "including phishing, social engineering, password stuffing, or session hijacking via authentication token theft or forgery. These attacks are especially insidious, the report said, because they enable bad actors to weaponize an account's existing reputation, making malicious activities more difficult to detect.
Although there are many methodologies to protect against email-based attacks, from awareness campaigns to technology product defenses, these have all been known about for years, decades in fact. Yet, here we are, still talking about the threats being posed by the very methods these protections are meant to stop. So, what's the answer? Good questions, and the closest I've come to one, can be found in this fascinating discussion about what needs to change if we are ever to stop the email phishing threat. I suggest you go read it. Now.