Q1 of 2023 was filled with many updates and changes to the major malware families used in phishing scams, as well as several notable deviations in tactics, techniques, and procedures (TTPs). Our Cofense Intelligence team issues Active Threat Reports (ATRs) based on observed malicious email threats, and in Q1 we had a 20% increase in ATRs compared to last quarter, and 34% increase compared to Q1 of last year. Below are key highlights and takeaways from the Q1 of 2023.
The key highlights for Q1 2023 include
- Evasive, malicious campaigns abusing Telegram bots continued to rise tremendously in Q1 2023, outstripping Q4 2022 volume by 397% and surpassing all of 2022 volume by 310%.
- Credential phishing volume for this quarter was volatile and increased significantly throughout the quarter by 527%. Overall, credential phishing threats increased 40% year-over-year from Q1 2022.
- Qakbot remained the most successful malware family reaching inboxes, 185% more often than Emotet, despite Emotet’s extremely high dissemination volume.
- Threat actors experimented with a variety of delivery mechanism combinations, including the notable introduction of OneNote files as a common mechanism for threat during Q1.
- YouTube was an unexpected addition to the Top 10 .com domains being employed by threat actors, who used open redirects at youtube.com to point to phishing pages.
Each quarter, Cofense Intelligence has analyzed credential phishing emails that reaches users environments protected by Secure Email Gateways (SEGs). Throughout Q1, Cofense Intelligence observed several changes within the phishing threat landscape which includes changes in threat actor’s tactics, techniques, and procedures (TTPs), as well as data trends such as volume.