The cybercriminal ecosystem has experienced a monumental shift in activity and threat behavior over the last year in a way not previously observed by threat researchers. Financially motivated threat actors that gain initial access via email are no longer using static, predictable attack chains, but rather dynamic, rapidly changing techniques.
This change is largely driven by Microsoft blocking macros by default and forcing everyone along the threat actor food chain from small crime commodity actors to the most experienced cybercriminals that enable major ransomware attacks to change the way they conduct business. Microsoft announced it would begin to block XL4 and VBA macros by default for Office users in October 2021 and February 2022, respectively. The changes began rolling out in 2022.
Based on Proofpoint’s unique telemetry analyzing billions of messages per day, Proofpoint researchers have observed widespread threat actor experimentation in malware payload delivery, using old filetypes, unexpected attack chains, and a variety of techniques that result in malware infections, including ransomware.
This activity demonstrates the following about the overall cybercriminal threat landscape:
- Threat actors continue to test various threat behaviors to determine the most effective method of gaining initial access via email. There is no reliable, consistent technique adopted by the entire threat landscape.
- Threat actors follow the leader. One or a group of threat actors may adopt a new technique and in subsequent weeks or months, researchers will observe the same technique used by multiple threat actors.
- Some more sophisticated ecrime actors have the time and resources available to develop, iterate, and test different malware delivery techniques.
In this report, Proofpoint will examine major landscape shifts and common tactics, techniques, and procedures (TTPs) adopted by a variety of threat actors. Download the full report here.