Cloud security startup Menlo Security Inc. today released a new report revealing a large increase in browser-based phishing attacks last year amid a growth in highly evasive adaptive threats.

The 2023 State of Browser Security Report found a 198% increase in browser-based phishing attacks in the second half of the year and a 206% increase over the full year. Evasive attacks, those that use techniques meant to evade traditional security controls, were found to make up 30% of all browser-based phishing attacks. Evasive threats include tactics such as SMS phishing, or smishing, adversary-in-the-middle frameworks, image-based phishing, brand impersonation and multifactor authentication bypass.

The report emphasizes how prevalent and risky the attacks have become: In a 30-day period, the Menlo Labs Threat Research team observed more than 11,000 so-called zero-hour phishing attacks that exhibited no signature or digital breadcrumb, meaning no existing secure web gateway or endpoint tool could detect and block those attacks. The team also discovered that 75% of phishing links are hosted on known, categorized, or trusted websites – not websites that can be easily identified as malicious or fly-by-night.

Other findings in the report included the detection of 550,000 browser-based phishing attacks in the last 12 months. Legacy reputation URL evasion or LURE attacks, those characterized by a method in which threat actors evade web filters that attempt to categorize domains based on implied trust, jumped by 70% from 2022. More than 73% of LURE attacks originated from categorized websites, based on 1 million URLs analyzed by the Menlo Security researchers.

The latency between a zero-hour phishing attack first appearing and when it is finally added to the detection mechanism for traditional security tools was also found to be six days.

Neko Papez, senior manager of cybersecurity strategy at Menlo Security, told SiliconANGLE that as the browser has become the most widely used enterprise application, users remain a key point of exposure for enterprises. As a result, he said, attackers use evasive techniques meant to evade traditional security tools to deliver browser-based threats to steal credentials and gain access to corporate systems.

“While existing network and endpoint solutions offer partial protection, these tools ultimately rely on block lists and indicators-of-compromise feeds, containing previously convicted phishing URLs, to protect against unknown or never before seen phishing attacks,” Papez added. “However, traditional solutions fall short because they lack visibility into browsers and dynamic web content and don’t provide the complete picture.”

Image: Menlo Security