Chatbots lower the barrier for entry into cybercrime
The potential risk posed by AI/chatbots in cybercrime has dominated headlines recently. A new report considers how these tools are leveraged to create highly targeted phishing campaigns.
Egress, a cybersecurity company providing intelligent email security, has released its second Phishing Threat Trends Report. The report's findings demonstrate the evolving attack methodologies used by cybercriminals that are designed to get through traditional perimeter security including secure email gateways.
The report delves into key phishing trends, including the most phished topic, explores prevalent obfuscation techniques being used to bypass perimeter defenses, and examines whether chatbots have really revolutionised cyberattacks.
All phishing threat data and examples contained within this report were taken from Egress Defend, an Integrated Cloud Email Security solution that uses intelligent technology to detect and defend against the most sophisticated phishing attacks.
"Without a doubt chatbots or large language models (LLM) lower the barrier for entry to cybercrime, making it possible to create well-written phishing campaigns and generate malware that less capable coders could not produce alone," says Jack Chapman, VP of Threat Intelligence, Egress.
"However, one of the most concerning, but least talked about applications of LLMs is reconnaissance for highly targeted attacks. Within seconds a chatbot can scrape the internet for open-source information about a chosen target that can be leveraged as a pretext for social engineering campaigns, which are growing increasingly common," Chapmn says.
"I'm often asked if LLM really changes the game, but ultimately it comes down to the defense you have in place. If you're relying on traditional perimeter detection that uses signature-based and reputation-based detection, then you urgently need to evaluate integrated cloud email security solutions that don't rely on definition libraries and domain checks to determine whether an email is legitimate or not," he says.
Phishing Threat Trends Report (October 2023): Key trends
As threats evolve, the cybersecurity industry must work together to continue to manage human risk in email. To shed light on evolving attack techniques and to keep cybersecurity professionals informed, the Egress Phishing Threat Trends Report offers an in-depth look into key phishing trends and includes:
Most phished topics of the year:
From RingCentral to alias impersonation attacks and leveraging social media to security software impersonations and sextortion, there has been no shortage of phishing attacks in 2023. The number one phishing topic was missed voice messages, which accounted for 18.4% of phishing attacks between January to September 2023, making them the most phished topic for the year so far. Many of these attacks use HTML smuggling to hide their payload.
Can you detect if chatbots are being used to write phishing emails?
The potential for cybercriminals to use chatbots to create phishing campaigns and malware has been cause for concern, but is it possible to tell whether a phishing email has been written by a chatbot? The report found that no person or tool can definitively tell whether an attack was written by a chatbot. Because they utilise large language models (LLMs), the accuracy of most detector tools increases with longer sample sizes, often requiring a minimum of 250 characters to work. With 44.9% of phishing emails not meeting the 250-character limit and a further 26.5% falling below 500, currently AI detectors either wont work reliably or wont work at all on 71.4% of attacks.
Obfuscation techniques on the rise:
The proportion of phishing emails employing obfuscation techniques has jumped by 24.4% in 2023, sitting at 55.2%. Obfuscation enables cybercriminals to hide their attacks from certain detection mechanisms. Egress Defend found that almost half (47%) of phishing emails that use obfuscation contain two layers to increase the chances of bypassing email security defenses to ensure successful delivery to the target recipient. Less than one-third (31%) use only one technique. HTML smuggling has proven the most popular obfuscation technique, accounting for 34% of instances.
To understand how graymail impacts cybersecurity, Egress researchers analysed 63.8 million emails that organisations received over four weeks. They found that, on average, one-third (34%) of mail flow can be categorised as graymail (bulk but solicited emails such as notifications, updates, and promotional messages). Additionally, Wednesday and Friday are the most popular days of the week to send or receive graymail. The research found a direct correlation between the volume of graymail and the volume of phishing emails received; people with busier inboxes are more likely to be targeted by phishing campaigns.
Phishing currently has the upper hand as traditional perimeter detection is falling short:
More phishing emails are getting through traditional perimeter detection, so while overall volume hasn't increased, this report shows attacks are increasing in sophistication and cybercriminals use a multitude of
tactics to successfully get through perimeter email security. The percentage of emails that got through Microsoft defenses has increased by 25% from 2022 to 2023. Likewise, the percentage of emails that got through secure email gateways (SEGs) increased by 29% from 2022 to 2023.
Additionally, there has been an 11% increase in phishing attacks sent from compromised accounts in 2023. Compromised accounts are trusted domains, so these attacks usually get through traditional perimeter detection. Almost half (47.7%) of the phishing attacks that Microsofts detection missed were sent from compromised accounts. The most common type of payload is phishing links to websites (45%), up from 35% in 2022. And all payloads bypassed signature-based detection to some degree.
"We produced this report to equip cybersecurity professionals with insights into advanced attacks, and what we found is that real-time teachable moments really do improve peoples ability to accurately identify phishing emails," says Chapman.
"Legacy approaches to email security rely heavily on quarantine barring end users from seeing phishing emails, but as our report highlights, phishing emails will inevitably get through," he says.
"This is one of the reasons why we have flipped the quarantine model on its head, adding dynamic banners to neutralise threats within the inbox.
"These banners are designed to clearly explain the risk in a way thats easy to understand, timely, and relevant, acting as teachable moments that educate the user. Ultimately, teaching someone to catch a phish is a more sustainable approach for long-term resilience."