Why traditional defences won’t stop next-gen phishing

Cyberthreats never stay the same. As quickly as cybersecurity providers close attack vectors or develop fixes, cybercriminals are already crafting new exploits and tactics. For example, Microsoft recently uncovered a Russian-aligned threat group exploiting device code authentication, tricking victims into handing over credentials via fake Microsoft Teams invites. This technique has already targeted governments, NGOs, and the IT, defence, telecoms, health, energy, and education sectors.

So, with hacking techniques evolving faster and becoming more sophisticated, how can businesses stay ahead of their adversaries?

One area that deserves particular attention is phishing attacks. In a sense, these are the most widely recognised forms of cyberattack – if a company’s employees are able to recall their cybersecurity training, it will almost certainly be phishing attacks they’ve been warned about, due to their focus on triggering human error. This is good but also risks a degree of false comfort – in the age of AI-driven attacks, it can feel as though phishing attacks are a bit outdated. But the truth is, phishing still aims at your weakest link: humans.

The next generation of phishing attacks

As user awareness and education regarding common phishing attacks increases, threat actors are moving to more advanced tactics. The emergence of device code-phishing is one example of how phishing campaigns are becoming more complex as scammers devise increasingly novel tactics. This attack method exploits authentication through device code flow for logging printers, smart TVs and similar devices into accounts and shows how cybercriminals are levelling up in response to MFA and similar security methods. Smart TVs, printers, and IoT devices were never designed for secure authentication, making them easy entry points for attackers.

Other attack vectors also include embedding malicious QR codes in phishing emails, and the zero-click attack, which can create a devastating impact from the smallest user action. These attacks work to rapidly compromise systems through seemingly innocuous messages. Many employees are used to the idea that an unexpected email prompting you to click a link might be questionable, but QR codes in emails are a new enough – and tactile enough – form of engagement to fly under the radar. Even something as seemingly simple as changing up the attacker’s desired action can make the difference between an email being flagged as junk and a malicious link being visited and triggering an attack.

A good example of that is the ‘unsubscribe malware scam’, a new phishing tactic that prompts a click by playing on the recipient’s annoyance at receiving the email in the first place. After someone clicks the unsubscribe button of a fraudulent email, the bad actor learns that the email address is active, making you a target of further phishing emails. The unsubscribe link might also lead to a website that downloads malware onto the system.

Add to all this the fact that generative AI can now help attackers create far more convincing messages, images, and designs, and the picture becomes deeply concerning.

Beyond phishing drills

In this atmosphere, training employees to spot phishing isn’t enough anymore. Businesses need to take action to protect employees who don’t even realise they’re at risk – for example, implementing phishing-resistant MFA, biometrics, hardware security keys, and passkeys, without adding friction to the user experience.

First, though, businesses need to ensure they’re aware of how these attacks work – and what they can do to protect themselves. They should continue to conduct periodic awareness training and phishing drills – making sure the entire organisation remains aware of new, emerging phishing attempts. Device code phishing attacks succeed because of ambiguity in the device code authorization process. Employees need to be encouraged to pay close attention to links, and make sure that they know what the device-code process should look like.

Phishing-resistant MFA, such as biometrics, hardware security keys, and passkeys, is designed to be extremely difficult to crack and provide protection against device-code compromised. This is a crucial step in the battle to stay ahead of the phishers. It’s also a good idea to deploy user and entity behaviour analytics (UEBA) profiling to spot anomalies and security orchestration, automation, and response (SOAR) capabilities to automatically execute workflow profiles and assign tickets to security admins to quickly remediate a phishing attack.

To stay ahead of evolving cyberattacks, security measures must constantly adapt, making it crucial for enterprises to implement stronger authentication methods.

‍