James Hickey, Director of Sales Engineering – EMEA for Cofense looks at the threats lurking behind some of your most trusted day-to-day work software and tools. How Microsoft, Google, SharePoint, Canva, Confluence, and DocuSign are being abused by threat actors.
Businesses across the globe rely on the likes of Microsoft and Google daily to complete their working tasks and store critical business files. What if we told you that there’s now a worrying trend of threat actors utilising this to their advantage?
In today's cybersecurity landscape, the sophistication of phishing attacks has reached alarming levels, with email remaining the primary threat vector. As cybercriminals continue to refine their techniques to breach defences, the Cofense Phishing Defense Center (PDC) has observed a disturbing trend: the use of legitimate, trusted third-party business software to host malicious content. By exploiting these reputable brand names, attackers bypass detection systems and maintain a high degree of deception. This technique, known as domain or platform abuse, exploits the trust associated with reputable domains to conduct phishing operations.
Today’s threat actors are becoming increasingly adept at cloaking their malicious intent within the confines of trusted file names, exploiting the credibility of well-known platforms like Google, Microsoft, Canva, SharePoint, and even DocuSign to disguise their nefarious activities. This growing trend underscores the urgent need for robust, adaptive security measures.
The Exploitation of Trusted Platforms
Consider Atlassian's Confluence, a widely used collaboration tool in the corporate world. Threat actors have been observed leveraging Confluence's domain to mislead users into believing they are interacting with safe, trusted content. This tactic is not limited to Atlassian; in Q3 2024, Cofense PDC team detected a noticeable rise in the misuse of trusted domains with the top five including Microsoft Office and SharePoint, Google, Amazon Web Services (AWS), and TikTok.
The increased use of docx extension files also enforces this trend with a growing popularity of attached Office documents containing malicious links or QR codes as they easily bypass most SEGs when embedded in a trusted attachment.
The objective is clear—bypass traditional security measures by using trusted domains and file names to deliver malicious payloads without suspicion. These platforms are being manipulated to foster a false sense of security, leveraging their esteemed reputation within the corporate world to obscure the presence of harmful content, and deceiving even the most vigilant users. This tactic not only increases the likelihood of a successful breach but also complicates detection efforts, as traditional security systems often whitelist these domains by default. The implications of such attacks are profound. Once a user's credentials are compromised, threat actors gain access to sensitive employee information and critical business infrastructure, potentially causing irreparable damage. The complexity of these attacks calls for an equally sophisticated strategy—one that combines advanced technology with proactive human intelligence.
The Growing Scale of the Problem
Cofense statistics reveal that up to 78% of data breaches originate from phishing attacks, with 15% of these emails evading conventional security gateways. The research also highlights the rising use of TikTok in credential phishing schemes and a staggering 627% surge in the use of open redirects (e.g., TikTok and Google AMP), with an exponential increase in the use of Microsoft Office documents and QR codes for credential phishing.
The Role of Artificial Intelligence (AI)
With the rise of AI, phishing emails have become increasingly sophisticated, appearing more genuine and grammatically accurate. AI enables threat actors to craft personalized and timely messages, often exploiting current events to enhance their plausibility. This advancement necessitates a shift in defensive strategies, where AI-augmented security measures become a critical component of any robust cybersecurity framework. However, it’s important to note, that you cannot rely 100% on an AI/Technolgy driven approach to solving the phishing problem. As threat actors pivot or innovate their tactics, AI models won’t recognise these changes, and it can take a while for the vendors to “catch-up” the models their solutions use to the new threat actor tactics, leaving gaps in your defences. That’s why Cofense recommend a “human-centric” approach, aided by the automation provided by AI, in the correct parts of the phishing defence process, to truly get a grip on the problem. Put simply, you need a “Human Shield” for when the technology fails.
The Human Shield and Security Stack
In the face of these challenges, businesses must adopt a multifaceted approach to cybersecurity. Technology (and AI) alone are not enough; human intelligence and vigilance are indispensable components of a robust security posture. It will be up to Channel to ensure businesses have access to these vital elements and the ability to build a robust "Human Shield". This concept involves training employees to recognize and report suspicious activity, thereby turning them into active participants in the defence against phishing attacks.
Cofense's PhishMe Solution Architecture exemplifies this approach, integrating Security Awareness Training (SAT) with Phishing Threat Detection and Response (PDR) platforms. By simulating real-world threats and enhancing employee resilience, organizations can significantly reduce the risk of successful phishing attempts. Additionally, the PhishMe Reporter tool empowers employees to report suspicious emails with a single click, transforming them into a frontline defence against potential breaches.
Why Channel Must Act Now: The Need for Enhanced Vigilance
The data speaks for itself. Emerging threats are becoming more sophisticated, with threat actors capitalizing on advancements in AI, machine learning, and social engineering. In 2025, these tactics are expected to intensify, posing a heightened risk to businesses worldwide. Organizations cannot afford to remain complacent; proactive measures are essential to safeguard against these evolving threats, and it will be vital for Channel to help support customers to stay aware and ahead of the risk.
The increasing incidence of platform abuse in phishing attacks calls for heightened vigilance and proactive defence measures, so you should help customers to prioritize educating their employees about the dangers of these tactics and encourage a culture of scepticism and verification. You should help them to build a strong culture of attentiveness and enable them to effectively report and act when they identify suspicious threats.
Additionally, you should look to combine this with zero-day threat intelligence, leveraging AI-driven security solutions to proactively remove threats that evade traditional defences as they emerge.
Implementing a comprehensive security stack that combines technology with human intelligence is crucial for your customers to maintain a strong defence. By leveraging platforms like Cofense, your customers can enhance their cybersecurity posture, ensuring they are prepared to address the challenges of tomorrow. By taking decisive action now, help your customers transform their employees into cyber-resilient assets and fortify their defences against the next wave of email security threats.
The PhishMe solution architecture is comprised of two complementary solutions for employee SAT and phishing defence. Together, these solutions create a virtuous cycle of human-vetted intelligence at scale that can outsmart the increasingly sophisticated AI-powered phishing attacks that traditional and even AI model-based SEGs miss. By empowering employees and leveraging cutting-edge technology, businesses, both yours and your customers’, can effectively mitigate the risks associated with these sophisticated attacks.
To read more about how these Phishing attacks are being orchestrated and to explore our solutions further, please find our latest report here.
