Microsoft Office macros, PowerShell and more are still proving to be popular with cyber criminals distributing attacks via phishing emails, warn researchers after analyzing billions of attacks.
Creating malicious Office macros is still the most common attack technique deployed by cyber criminals looking to compromise PCs after they've tricked victims into opening phishing emails.
Phishing emails are the first stage in the attack for the majority of cyber intrusions, with cyber criminals using psychological tricks to convince potential victims to open and interact with malicious messages.
These can include creating emails that claim to come from well-known brands, fake invoices, or even messages that claim to come from your boss.
There are number of methods that cyber criminals can exploit in order to use phishing emails to gain the access they require and, according to researchers at cybersecurity company Proofpoint, Office macros are the most common means of achieving this.
Macros are a function of Microsoft Office that allow users to enable automated commands to help run tasks. However, the feature is also abused by cyber criminals. As macros are often enabled by default to run commands, these can be used to execute malicious code – and thus provide cyber criminals with a sneaky way to gain control of a PC.
Many of these campaigns will use social engineering to encourage the victim to enable macros by claiming the functionality is needed in order to view a Microsoft Word or Microsoft Excel attachment. It's proving a successful method of attack for cyber criminals, with Office macros accounting for almost one in 10 attacks by volume.
But Office macros are far from the only attack technique that cyber criminals are commonly adopting in order to make hacking campaigns as successful as possible.
Sandbox evasion is the second most common attack technique used by criminals distributing phishing emails.
This is when the developers of malware build-in threat detection that stops the malware from running – effectively hiding it – if there's a suspicion that the malware is running on a virtual machine or sinkhole set up by security researchers. The aim is to stop analysts from being able to examine the attack – and, therefore, being able to protect other systems against it.
PowerShell is also still regularly abused by attackers as a means of gaining access to networks after getting an initial foothold following a phishing email. Unlike attacks involving macros, these often rely on sending the victim to click a link with code to execute PowerShell. The attacks are often difficult to detect because they're using a legitimate Windows function, which is why PowerShell remains popular with attackers.
Other common attack techniques used to make phishing emails more successful include redirecting users to websites laced with malicious HTML code that will drop malware onto the victim's PC when they visit, while attackers are also known to simply hijack email threads, exploiting how victims will trust a known contact and abusing that trust for malicious purposes, such as sending malware or requesting login credentials.
The data on the most common attack techniques has been drawn from campaigns targeting Proofpoint customers and the analysis of billions of emails.
"Train users to spot and report malicious email. Regular training and simulated attacks can stop many attacks and help identify people who are especially vulnerable.