Darktrace report: 56% of phishing emails bypass security checks

New data from Darktrace, a cybersecurity AI company, has revealed that a significant proportion of phishing emails are bypassing standard security protocols. The "First 6: Half-Year Threat Report 2024" indicates that 56% of phishing emails managed to evade all existing security measures, while 62% succeeded in passing Domain-based Message Authentication, Reporting, and Conformance (DMARC) verification checks.

Darktrace's research identified several key threats and attack methods affecting businesses in the first half of 2024. Among these, Cybercrime-as-a-Service (CaaS) models, specifically Malware-as-a-Service (MaaS) and Ransomware-as-a-Service (RaaS), continue to dominate. These models lower the entry barrier for cybercriminals by providing pre-made malware and phishing email templates.

Nathaniel Jones, Director of Strategic Threat and Engagement at Darktrace, commented on the persistence of such service models. "The threat landscape continues to evolve, but new threats often build upon old foundations rather than replacing them. While we have observed the emergence of new malware families, many attacks are carried out by the usual suspects that we have seen over the last few years, still utilising familiar techniques and malware variants," he said.

Jones continued, "The persistence of MaaS/RaaS service models alongside the emergence of newer threats like Qilin ransomware underscores the continued need for adaptive, machine learning powered security measures that can keep pace with a rapidly evolving threat landscape."

Darktrace's report provided detailed statistics and insights on the types of threats observed between January and June 2024. Among the most common were information-stealing malware (29% of early triaged investigations), trojans (15%), Remote Access Trojans (RATs) (12%), botnets (6%), and loaders (6%).

One of the notable new threats highlighted was Qilin ransomware, which employs advanced tactics such as rebooting infected machines in safe mode to bypass traditional security tools, making it challenging for human security teams to respond promptly. The report also identified three predominant ransomware strains – Akira, Lockbit, and Black Basta – all of which were noted for using double extortion methods.

The frequency and sophistication of phishing attacks remain significant concerns. Between December 2023 and July 2024, Darktrace detected 17.8 million phishing emails across its global customer base, equating to approximately one per second. The evasion techniques employed by attackers included leveraging legitimate third-party services and sites like Dropbox and Slack to blend in with normal network traffic. Additionally, there has been a rise in covert command and control (C2) mechanisms, including remote monitoring and management (RMM) tools, tunneling, and proxy services.

Security at the edge infrastructure level has also emerged as a critical concern. The report pointed to increased exploitation of vulnerabilities in edge infrastructure devices, particularly those related to Ivanti Connect Secure, JetBrains TeamCity, FortiClient Enterprise Management Server, and Palo Alto Networks PAN-OS. These compromises frequently act as entry points for further malicious activities, underscoring the importance of vigilance against known attack trends and vulnerabilities. In 40% of the cases investigated during the first half of 2024, attackers exploited Common Vulnerabilities and Exposures (CVEs).

The findings underscore the necessity for organisations to adopt adaptive security measures that can respond to the continually evolving threat landscape.