2 weeks Ago
Update, Dec. 12, 2024: This story, originally published Dec. 11, now includes further information from the Abnormal Security report regarding advanced email attack methodologies including predictions for the threat surface in 2025.
Cybercriminals, be they politically motivated hackers or financially motivated gangs, have many options when it comes to the attack surface they look to penetrate: crtiical software vulnerabilities such as those patched in Microsoft Windows and Google Chrome this week, firmware exploits that require access to the target device itself, session cookie two-factor authentication bypass and, by far the most common, route one through the front door by way of your email inbox. Here’s what you need to know about a new warning from security analysts about five advanced email attacks. Understanding The Email Attack Surface Is Your Best Defense Against Criminal Threats Every individual and every business, from sole proprietors to global conglomerates, faces the risk of cyberattack.
As a newly published analysis from threat intelligence experts at Abnormal Security has warned, understanding that the most direct route to compromise is the preferred option for most all cybercriminals is email is the key to protecting yourself as best you can. “The potency of these attacks lies in their ability to exploit trust,” the Dec. 11 report warned, “whether impersonating known contacts, abusing compromised accounts, or weaponizing trusted platforms, attackers manipulate trust to breach defenses at every stage of an attack.
” Beware These 5 Advanced Email Attacks Abnormal Security analysts looked at real-world examples of email-based attacks that have targeted customers across 2024 and determined that the following five threat types warranted listing as the attack strategies that you need to be prepared for as we fast approach 2025. Cryptocurrency , with what the report said is “a lack of centralized oversight and the speed of irreversible transactions,” facilitates fraud and offers considerable opportunity for exploitation. Less financially experienced individuals are attracted to the esoteric nature of crypto, along with the potential to make big profits, without fully understanding the risk.
Combined, the security analysts warned, these characteristics have made cryptocurrency a popular theme for email phishing attacks and as such should be high on the awareness alert list. File-sharing phishing attacks , are an email threat in which a cybercriminal legitimate file-hosting or e-signature solutions to deceive the victim. “Because popular solutions like Dropbox, ShareFile, and Docusign offer either free registration or no-charge trials, and are API-enabled, any individual (including cybercriminals) can create and send emails at scale via the platform,” Abnormal Security warned.
As a result, these kind of email attacks, according to Abnormal’s own data, saw a 350% increase between June 2023 and June 2024. Threat actors will create malicious messages where the payload isn’t a link in the email but rather in a “separate document hosted on a genuine file-hosting service.” Multichannel phishing , meanwhile, can be seen as an evolution of phishing tactics.
How so? Well, this kind of attack leverages multiple communication platforms with the end result of manipulating victims more effectively than a single channel can do. “Unlike traditional phishing,” the report warned, “which relies exclusively on email, multichannel campaigns initiate contact through email but then steer the conversation to other channels, such as text messages, phone calls, or third-party messaging apps like WhatsApp or Telegram.” Business email compromise attacks are a common, yet hugely costly, social engineering threat that serve to deceive recipients into divulging sensitive information or completing fraudulent financial requests.
“Threat actors impersonate trusted partners or authority figures,” the Abnormal Security analysts said, “allowing them to capitalize on the implicit trust within the relationship.” The BEC threat, however, has evolved thanks largely to the evolution of another technology: AI. “By analyzing vast volumes of data from social media, online activity, and past interactions,” Abnormal warned, “AI-powered platforms can generate hyper-personalized messages that convincingly mimic the writing style of the impersonated individual.
” And finally, the Abnormal Security report warned about the threat of email account takeover which is sagely said could be the most dangerous email threat we face. “It can be initiated using various methods,” the researchers warned, “including phishing, social engineering, password stuffing, or session hijacking via authentication token theft or forgery. These attacks are especially insidious, the report said, because they enable bad actors to weaponize an account’s existing reputation, making malicious activities more difficult to detect.
AI And API Are The Keywords For Email Attacks In 2025 According To Abnormal Security Predictions The threat analysts at Abnormal Security didn’t stop at just looking back at the 2024 year in terms of the threatscape when it comes to advanced email attack methodologies. They also looked forward to 2025 and predicted what they would consider the attack surface to look like in the coming year. The advanced email attack surface will see two areas of particular concern across 2025, the analysts said: a surge in attacks leveraging AI and a rise in the exploitation of legitimate API-enabled services.
A Surge In Email Attacks Leveraging AI Tools “In 2025,” the Abnormal Security analysis predicted, “financially motivated email attacks are expected to escalate significantly, driven by the adoption of AI technologies that enhance both the scale and sophistication of these campaigns.” This is an area I have covered before, and rightly so, because by leveraging such AI-powered tools, especially when it comes to the phishing crime sector, attackers are already able to create incredibly personalized and highly-believable malicious emails, “maximizing their return on investment while simultaneously reducing the likelihood of detection.” An AI-generated email attack isn’t just a case of asking a generative chat tool to create a phishing email using x, y or z as a hook, but rather involve the incorporation of real-time data from a diverse range of sources including the likes of social media, business websites and previous breaches for the maximum personalization possible.
By doing so, this allows the attacker to “deliver highly targeted and contextually relevant messages with a level of precision previously unattainable,” the report said, predicting that “as these techniques grow more advanced, even vigilant recipients may struggle to distinguish between legitimate and malicious communications, posing significant challenges for organizations that continue to rely on legacy email security systems.” The Rise Of Legitimate API-Enabled Service Exploitation Within Advanced Email Attack Infrastructures The misuse of application programming interfaces will, the Abnormal Security analysts predicted, “facilitate the automation of a wide range of malicious activities, including the bulk creation of phishing sites and rapid scaling of attack campaigns.” This is because, by so doing, threat actors are able to unwittingly “co-opt” cloud services, communication APIs and online collaboration tool platforms into their own criminal infrastructures.
The reasoning is as obvious as it is concerning: attackers can blend seamlessly into legitimate traffic and evade detection. “As the boundary between legitimate and malicious usage becomes increasingly blurred,” the analysts warned, “security teams must adopt more advanced behavioral analysis tools that leverage AI and machine learning to mitigate these evolving threats.” Mitigating Advanced Email Attacks And talking of mitigations, although there are many methodologies to protect against email-based attacks, from awareness campaigns to technology product defenses, most have been known about for years, decades in fact.
Yet, here we are, still talking about the threats being posed by the very methods these protections are meant to stop. So, what’s the answer? Good questions, and the closest I’ve come to one, can be found in this fascinating discussion about what needs to change if we are ever to stop the email phishing threat . I suggest you go read it.
Now..
