Hackers are using increasingly sophisticated tactics to get their phishing emails past companies’ cybersecurity defenses, according to new research from Egress Software Technologies Ltd.

The company carried out the research for its annual Phishing Threat Trends Report, which was published today. London-based Egress provides an email security platform of the same name. According to the company, its new report draws on data about phishing campaigns that it collected between January and September of this year.

One key finding of the report is that phishing campaigns appear to have become more sophisticated over the past year. According to Egress, the percentage of phishing emails that use obfuscation techniques to avoid detection jumped by 24.4% in 2023. More than half of malicious emails, or 55.2%, now use such tactics.

Egress found that the most widely used obfuscation technique is HTML smuggling. According to the company, 34% of the obfuscated phishing emails it analyzed during its research used the technique.

HTML smuggling is a practice whereby hackers distribute malware in a dormant form to make it more difficult to detect. Rather than sending a malicious program, hackers send the program’s raw source code as part of a seemingly legitimate HTML page. The code only turns into malware after clearing the corporate network and arriving on the recipient’s computer, which makes it more difficult to spot for network-based cybersecurity tools.

Egress found that hackers typically chain together multiple obfuscation methods to make their phishing campaigns more effective. Most phishing emails that actively attempt to avoid detection use at least two obfuscation tactics, the company’s researchers determined. Only 31% of such emails use a single tactic. 

The increasingly sophisticated methods hackers are adopting to avoid detection may be making phishing campaigns more effective. In 2023, the percentage of phishing campaigns that bypassed Microsoft Corp. cybersecurity defenses jumped 25% year-over-year. In the same time frame, hackers became 29% more effective at fooling secure email gateway products, which are used by enterprises to block malicious messages targeting their employees.

Egress analyzed not only the tactics that hackers use to deliver phishing emails but also those emails’ contents. The company found that malware-laden links represent the most common malicious payload in phishing emails. Of the messages Egress analyzed, 45% contained a link to a malicious website. 

In its report, the company cautioned that artificial intelligence tools are making it easier for hackers to launch phishing campaigns. Large language models capable of automated text generation represent a particular challenge. Tools designed to detect AI-generated phishing emails work unreliability or don’t work at all in 71.4% of cases, Egress found.

“Without a doubt chatbots or large language models lower the barrier for entry to cybercrime, making it possible to create well-written phishing campaigns and generate malware that less capable coders could not produce alone,” said Jack Chapman, vice president of threat intelligence at Egress.

The company also evaluated so-called graymail, or solicited bulk emails such as promotions. The company determined that such messages account for 34% of all email traffic. According to Egress, there is a “direct correlation” between the volume of graymail that a user receives and the number of incoming phishing emails.

Image: Unsplash