Cofense Quarterly Trends Report Reveals Evolving Threats in Email Security

Report Highlights Increased Use of Remote Access Trojans and Advanced Credential Phishing Tactics to Evade Traditional Email Security Filters

LEESBURG, Va.--()--Cofense, the pioneer and leading provider of email security awareness training (SAT) and advanced phishing detection and response (PDR) solutions, today announced the release of its Q3 2024 Phishing Intelligence Trends Review curated from the Cofense Phishing Defense Center. The report shows that Cofense detected one malicious email bypassing customers’ secure email gateways (SEGs) every 45 seconds – up from every 57 seconds as reported in the 2023 annual report.

The report also highlights the rapid rise in Remote Access Trojans (RATs) and the evolution of credential phishing techniques that exploit trusted platforms. Remcos RAT emerged as the predominant malware, leveraging methods to bypass SEGs with ease. Additionally, open redirects using popular sites like TikTok and embedded QR codes in Office documents have contributed to an impressive surge in document-based phishing attacks.

“We continue to see threats bypassing perimeter email security defenses at an alarming rate, which is a clear indication that threat actors continue to innovate phishing campaigns faster than technology can stop them,” said Josh Bartolomie, Vice President of Global Threat Services of Cofense. “It’s time organizations rethink their approach to email security. Focus on solutions that combine technology and human insights, leveraging real-time threat intelligence to effectively combat emerging risks.”

Key Findings in the Q3 2024 Trends Report:

  • Spike in RAT Use: RATs, especially the Remcos RAT, have seen a 59% increase in email share, emerging as an adaptable tool with capabilities like keylogging and credential theft. With RAT volumes increasing sevenfold since Q2, attackers are favoring these tools to bypass SEGs effectively.
  • Open Redirect Usage Increased by 627%: Techniques leveraging open redirects, like TikTok and Google AMP, surged in Q3. And TikTok[.]com became a top domain used for credential phishing—climbing from outside the top 100 to the 5th most common top-level domain (TLD).
  • Malicious Office Document Usage Rises by Nearly 600%: Malicious Office documents—most notably .docx files embedded with phishing links or QR codes—saw usage rise significantly. These attachments help attackers sidestep detection, increasing the likelihood of reaching user inboxes.
  • Changes in Data Exfiltration Tactics: Domains using the .ru and .su TLDs saw usage increase by more than 4x and 12x, respectively. This trend points to a notable shift in how data exfiltration is approached within credential phishing efforts, reflecting an adaptive use of lesser-monitored TLDs.

Emerging Threats to Watch for Q4 2024 and Beyond

In Q4 2024, there is an anticipated rise in the use of GitHub as a means for bypassing SEGs, leveraging its credibility to avoid detection. Phishing campaigns with holiday themes are likely to increase, tapping into seasonal consumer habits. As interest rates decrease, phishing efforts aimed at US brokerage firms such as Fidelity, Vanguard, and Charles Schwab may see growth, targeting financial concerns.

Phishing with a focus on shipping themes could also rise if disruptions from port strikes and logistics delays remain prominent. At the same time, campaigns centered around multi-factor authentication (MFA) may decrease as attackers shift to more relevant, high-impact opportunities in Q4. Organizations need to adapt proactive defenses in order to thwart these shifting threats.

Download the full Q3 2024 Phishing Intelligence Trends Review here and join our upcoming webinar on November 20th for an in-depth analysis of the data. Secure your spot and gain valuable insights here.

About Cofense

Cofense® is the original and leading provider of security awareness training and phishing simulation, offering one-of-a-kind global enterprise-level advanced email threat detection and remediation solutions. Cofense PhishMe® and Cofense Phishing Detection and Response Platform (PDR) offer the world’s only solution leveraging over 35 million Cofense-trained employees who actively report suspected phishing and other dangerous email threats in real-time. Exclusive only to Cofense, this reporting system ingests and catalogs thousands of potential threats per day that are missed by current email gateway technologies and then eradicates those threats from customer inboxes. In short, Cofense sees and stops threats other email security systems miss.

Contacts

Cheyenne Wells
cofense@10fold.com

Contacts

Cheyenne Wells
cofense@10fold.com