A new report released today by HP Inc. is warning that cybercriminals are using “cat-phishing” techniques to deceive victims by redirecting them to malicious websites through seemingly legitimate links.

The finding came from the quarterly HP Wolf Security Threat Insights Report, which shows that attackers are relying on open redirects, overdue invoice lures and Living-off-the-Land techniques to sneak past defenses. Based on analysis of real-world cyberattacks, the report does a deep dive into explaining the cybersecurity landscape so organizations can keep up with the latest threats.

Cat-phishing was the key takeaway from the report, with attackers found to be using open redirects to cat-phish users. With cat phishing, attackers exploit vulnerabilities in legitimate websites, such as open redirect vulnerabilities, that allow them to manipulate URLs. With the seemingly legitimate URL in place, users can be deceived into clicking on a link that appears to lead to a trusted site but are then redirected to a malicious site without their knowledge.

Another campaign detailed in the report includes one that HP describes as “Living-off-the-BITS” that abused the Windows Background Intelligence Transfer Service. BITS is a legitimate mechanism used by programs and system administrators to download or upload files to web services and share files. The LotL technique helps attackers remain undetected by using BITS to download malicious files.

Fake invoices leading to HTML smuggling attacks are also an issue. HP’s researchers identified threat actors hiding malware inside HTML files posing as delivery invoices. The malicious invoices, once opened in a web browser, open the door for hacking, including deploying AsyncRAT, a form of open-source malware.

“Targeting companies with invoice lures is one of the oldest tricks in the book, but it can still be very effective and hence lucrative,” said Patrick Schläpfer, principal threat researcher at HP Wolf Security. “Employees working in finance departments are used to receiving invoices via email, so they are more likely to open them. If successful, attackers can quickly monetize their access by selling it to cybercriminal brokers or by deploying ransomware.”

Other findings in the report included at least 12% of email threats identified by HP Sure Click Enterprise bypassing one or more email gateway scanners. The top threat vectors in the first quarter were email attachments sitting at 53%, followed by downloads from browsers at 25% and other infection vectors, such as USB thumb drives and file shares, coming in at 22%.

Image: ChatGPT 4o