LotL phishing attacks have become increasingly prevalent in recent years, with attackers utilizing native applications and processes to hide their malicious activities. These attacks involve infiltrating a legitimate third-party service to exploit trust and then using their tools to mask and conduct malicious activities. An example of this is the use of QuickBooks and Adobe in LotL phishing attacks, where attackers leverage the trust associated with these ubiquitous brands to trick users into revealing sensitive information.
One specific LotL phishing attack that has been observed involves Qakbot distributors leveraging conversation hijacking attacks (CHAs) and the implied trust of previous email threads. By replying to legitimate conversations in a target’s inbox, threat actors can distribute malware or conduct further phishing attacks. Another variant of LotL phishing is the use of GuLoader, a malware downloader primarily used for distributing shellcode and malware such as ransomware and Trojans.
The initial goal of a LotL phishing attack is to harvest credentials through a phishing page. Once the attacker obtains a user’s email address and password, they conduct reconnaissance within the organization, searching for opportunities to commit a business email compromise attack. For example, if the target is in finance, the threat actor may attempt to initiate a wire transfer or reroute invoicing traffic. If the target is not high value, the attacker may instead pivot and attack the user’s contacts through CHAs or by distributing malware.
LotL phishing attacks have become increasingly sophisticated, with threat actors adopting full brand impersonation to make it extremely difficult to identify and block their attacks. An example of this is a phishing attack that originated from a compromised nhs[.]net Microsoft account, the email system for National Health Service (NHS) employees in England and Scotland. The email appeared to be a Microsoft-themed “secure fax pdf” originating from the “ShareFile Team 2023.” The email included the Microsoft logo and URL, creating a cohesive and authentic appearance.
This level of brand impersonation makes it easier for threat actors to deceive end-users. Employees may be fooled by a legitimate Microsoft graphic and link, and they often trust that systems and processes are in place to filter out malicious URLs. However, when a legitimate domain like Microsoft is used for both legitimate and malicious purposes, security and threat teams face a challenging task in identifying and mitigating the threat.
While blocking high-use domains like Microsoft is not a logical solution, limiting access to sensitive information to only those who need it can help minimize the attack surface. However, this does not prevent threat actors from putting malware on a system or gaining network access. End-user training can be beneficial to a certain extent, but with sophisticated LotL attacks, simply checking the legitimacy of an email and its associated URLs may not be enough.
To defend against LotL phishing attacks, users must be taught to consider the context of an email and question whether there is a legitimate reason for receiving it. Encouraging users to reach out to the sender by phone if they have any doubts can also help prevent falling victim to these attacks. Additionally, organizations should implement a layered security approach that includes employee education, email filters to detect and quarantine suspicious messages, and security solutions that leverage threat intelligence and artificial intelligence to distinguish phishing from genuine emails.
A multilayered approach to protection, including endpoint protection and DNS protection, can further enhance an organization’s security posture. By adding multiple layers of defense, the likelihood of a successful LotL phishing attack decreases. However, it is crucial to have backup and recovery solutions in place to minimize disruption in the event that all other defenses fail.
In conclusion, LotL phishing attacks have evolved over the years, becoming increasingly sophisticated and difficult to detect. Attackers leverage the trust associated with well-known brands and impersonate legitimate services to deceive users. To counter these attacks, organizations must adopt a layered security approach, educate employees about the risks, and implement security solutions that leverage threat intelligence and artificial intelligence. By doing so, organizations can enhance their cyber resilience and minimize the impact of LotL phishing attacks.