There are all sorts of things that end up in your inbox, but among those that are reported to a SOC or security team, malicious content only makes up a small percent. Among the analysis provided in this year's annual Phishing Trends and Intelligence (PTI) report, we added a new section based on data from our Phishing Incident Response team.
The data analysis resulted in a detailed breakdown of the kinds of emails users are reporting. This includes malicious, suspicious, clear, and simulation content.
The Breakdown
Before digging into the data, it's important we define the four categories, and then we will further dig into the kinds of malicious threats found in this year's data set.
Malicious
These reported emails are confirmed phishing threats.
Do Not Engage
These are your run of the mill spam emails. It can consist of foreign pharmacy ads, pornography, dating spam, or really anything that looks sketchy but do not outright have a malicious purpose. They can, in fact, lead to malicious content down the path though.
No Threat Detected
These are regular emails that were sent to their intended audience, which on occasion, can include spam. This makes up the majority of content within reported emails, and either shows that users are stopping to think and analyze the content or just want to stick it to spammers.
Simulations
In an effort to test and train users, phishing simulations are sent out on random cadences. When users do report these, that is an ideal success metric.
What The Data Shows
According to our data set, only 6 percent of reported emails contained malicious content or intent. However, another 36 percent of emails contained questionable content, too, which combined, shows a great deal of suspicious content being removed from inboxes. Every time malicious and suspicious content is reported, security teams should use this data to ensure others are not being impacted by the same content.
But today, we're not going to give you the training lecture, and instead drill down further into the kinds of content we see among the confirmed malicious content (6%). It is worth noting two very important, but related points though:
- This data does not indicate suspicious content that was not reported. These are emails that both technology and users miss.
- It is never wise to dissuade users from reporting any kind of suspicious content. SOC teams should be able to scale and handle all sorts of loads, lifting the burden off of users entirely outside of reporting the email.
At a high-level, there are three subsects of malicious content we've confirmed: social engineering, credential theft, and malware delivery. From there, we have additional insights into each category, too. For a better understanding of what some of these consist of, this article from last year defines each. There is one overarching theme identified from this analysis, which is that technology is great at detecting malicious code, but not so much at psychological-based manipulation tied to phishing. In otherwords, malware gets caught by technology, but humans are still needed to thwart social engineering.
Credential Theft
In last year's PTI report we identified a big increase in credential theft-based phishing attacks. It's one of the primary reasons associated with the theme of threat actors shifting more of their attention from consumers to enterprise organizations. And this year, the numbers continued to rise. Of the reported and confirmed malicious content, 65 percent of it fell under the credential theft subcategory.
The primary focus was on the delivery of phishing websites (88%) with the second being docuphish (12%).
Social Engineering
The second grouping of malicious content that we see most often is social engineering. These are your typical Business Email Compromise (BEC), job scams, and even 419 or Nigerian Prince scams.
The majority of reported emails under this category go to 419 Scams (84%), BEC attacks made up more than two handfuls (13%), and job scams covered the rest (3%). There were also a few tech support scams as well.
Malware Delivery
For years, malware delivery has seen a general decline. The threat is still very real, but these threats only make up a small portion (2%) of the kinds of malicious content that land in user inboxes. Of the reported malware content we analyzed, there was a relatively large mix. The largest subgrouping (13%) was made up of payload links, followed by crimeware (12%), and a small portion contained ransomware threats and RATs.
To learn more about how the phishing threat is evolving, you can access our full report now.