LotL Phishing Attacks: Exploiting Trust and Evading Detection
LotL (living-off-the-land) phishing attacks have gained popularity among attackers due to their ability to hide malicious activities by utilizing native applications and processes. These attacks often exploit the trust placed in legitimate third-party services and use their tools to mask and conduct malicious activities. LotL phishing attacks, such as those leveraging QuickBooks and Adobe, have become increasingly clever, making it challenging for end users to detect and block them.
How LotL Phishing Attacks Work
The initial goal of an LotL phishing attack is to trick users into providing their email address and password on a credential harvesting page. Once the threat actors gain access, they conduct reconnaissance within the organization, searching for opportunities to commit further attacks. For example, they might look through the victim’s inbox to identify potential targets for a business email compromise attack. If the target is in finance, they might initiate unauthorized wire transfers or reroute invoicing traffic. If the target is not high value, the threat actors may pivot and attack the victim’s contacts.
A common tactic used in LotL phishing attacks is conversation hijacking, where the attackers reply to legitimate conversations in the victim’s inbox. By impersonating the trusted contact, the attackers can distribute malware or conduct further attacks. These attacks have become increasingly sophisticated, with threat actors utilizing compromised accounts, like the nhs[.]net Microsoft account, to send authentically themed emails. In one specific case, an email disguised as a “Microsoft secure fax pdf” appeared to be sent from the “ShareFile Team 2023,” including the Microsoft logo and URL. This level of cohesion between the phishing email and legitimate services makes it extremely challenging to identify and block such attacks.
Upping the Game: Brand Impersonation
In recent LotL phishing attacks, threat actors have upped their game by engaging in full brand impersonation. By utilizing the reputation and trust associated with legitimate business services, attackers make it even harder for users to identify and block their malicious activities. For example, an email appearing to be from Microsoft, complete with their logo and domain, can easily fool individuals and evade traditional security measures.
The challenge for security and threat teams lies in distinguishing between legitimate and malicious traffic on high-use domains. Blocking these legitimate domains is not a practical solution, but limiting access to sensitive information only to those who need it can help minimize the attack surface. However, this approach does not prevent threat actors from installing malware or gaining network access. End-user training plays a crucial role, but even with user awareness, it is challenging to analyze each email comprehensively, especially with cohesive attacks like LotL phishing.
A Layered Defense: Protecting Against LotL Phishing Attacks
Given the inherent inability of users to fully trust what they see, it is essential to train them to consider the context of an email and question its legitimacy. Encouraging individuals to reach out to the supposed sender via phone if there is any hesitancy can be effective in thwarting LotL phishing attacks.
However, it is unrealistic to expect every individual to thoroughly analyze each email received. Therefore, a layered security approach is necessary to achieve cyber resilience. This approach involves supplementing employee education with security solutions that are continually updated with threat intelligence. Implementing email filters that can detect, block, and filter out malicious emails and attachments can significantly reduce the risk of LotL phishing attacks. By recognizing and quarantining suspicious messages, email filters act as an effective line of defense. In addition, security solutions integrated with artificial intelligence and machine learning can differentiate phishing emails from genuine ones and prevent malicious content from reaching users’ inboxes.
A multilayered approach to protection should also include endpoint protection and DNS protection. These additional layers enhance security posture and decrease the likelihood of a successful attack. In the worst-case scenario, if all other layers fail, backup and recovery solutions become critical for swiftly restoring businesses with minimal disruption.
Conclusion
LotL phishing attacks represent a growing threat, as threat actors continue to evolve their strategies and adapt to evasion techniques. In order to safeguard against these attacks, organizations must employ a comprehensive and dynamic defense. By combining user education, contextual analysis, email filters, advanced security solutions, and backup mechanisms, businesses can enhance their resilience against LotL phishing attacks. Proactive measures and a well-rounded security posture are imperative in maintaining trust in online interactions and protecting sensitive information.
<< photo by Sigmund >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- 7 Million Users Potentially Exposed: Exploring the Freecycle Data Breach
- The Risk of Unpatched Vulnerabilities in SEL Power System Management Products
- Okta Exposes Sophisticated Attacks on US Customers
- Software Bug Causes Norfolk Southern to Temporarily Halt Train Operations
- 5 Essential Cybersecurity Tools to Reduce the Impact of a Data Breach
- Chaes Malware Strikes Again: Banking and Logistics Industries Under Threat
- Decoding the Complexities: Unraveling the Truth about AI Security
- Splunk Raises Security Bar with Patch for High-Severity Flaws
- 4 Ways to Shield the Financial Sector from the Rising Threat of Deepfakes
