Proofpoint’s 2023 Human Factor Report: Threat Actors Scale and Commoditise Uncommon Tools and Techniques


New research provides an in-depth analysis of the modern attack chain and today’s biggest threats

London, June 14, 2023Proofpoint, Inc., a leading cybersecurity and compliance company, today released its annual Human Factor report, revealing that after two years of pandemic-induced disruption, 2022 was a return to business as usual for the world’s cyber criminals. As COVID-19 medical and economic programs began to wind down, attackers had to find new ways to make a living by honing their social engineering skills, commoditising once-sophisticated attack techniques, and creatively searching for new opportunities in unexpected places.

From scaling brute-force and targeted attacks on cloud tenants to the surge in conversational smishing attacks and proliferation of multifactor authentication (MFA) bypass, the cyber-attack landscape witnessed significant developments on several fronts in 2022.

“With Microsoft 365 forming a large percentage of the typical organisation’s attack surface, broad abuse of that platform, from Office macros to OneNote documents, continues to shape the broad outlines of the threat landscape,” said Ryan Kalember, executive vice president, cybersecurity strategy, Proofpoint. “As security controls have slowly improved, threat actors have innovated and scaled their bypasses; once the domain of red teams, techniques like MFA bypass and telephone-oriented attack delivery, for example, are now commonplace. While many threat actors are still experimenting, what remains the same is that attackers exploit people, and they are the most critical variable in today’s attack chain.”

 The Human Factor is the industry’s most comprehensive report from a single vendor and delves into the new developments across the threat landscape, focusing on the combination of technology and psychology that makes modern cyber attacks so dangerous among the three main facets of user risk—vulnerability, attacks, and privilege. The report draws from one of the industry’s largest and most diverse global cybersecurity data sets across email, the cloud and mobile computing sourced from more than 2.6 billion email messages, 49 billion URLs, 1.9 billion attachments, 28 million cloud accounts, 1.7 billion suspicious SMS messages, and more.  

From complex techniques like multi-factor authentication bypass, to telephone-oriented attack delivery, and conversational threats that rely solely on the attacker’s charm, 2022 was a year of unprecedented creativity among threat actors as they varied attack chains and rapidly tested and discarded delivery mechanisms.

Key findings highlighted in Proofpoint’s 2023 Human Factor Report include:

  • Office macro use collapsed after Microsoft rolled out controls to block them: After almost three decades of service as a popular malware distribution method, Office macros finally began to decline in use after Microsoft updated how its software handles files downloaded from the web. The changes set off an ongoing flurry of experimentation by threat actors to seek alternative techniques to compromise targets.
  • Threat actors began to match their ingenuity with new-found precision and patience: Conversational smishing and pig butchering threats—which start with attackers sending seemingly harmless messages—surged last year. In the mobile space, it was the year's fastest-growing threat, experiencing a twelvefold increase in volume. And telephone-oriented attack delivery (TOAD) peaked at 13 million messages per month. Several state-sponsored APT actors invested significant time exchanging benign messages with their targets to build rapport over the course of weeks and months.
  • Off-the-shelf MFA bypass phish kits have become ubiquitous, allowing even non-technical criminals to spin up a phishing campaign: MFA-bypass frameworks such as EvilProxy, Evilginx2, and NakedPages accounted for more than a million phishing messages per month.
  • Legitimate infrastructure plays a key role in the delivery of many cloud-based attacks and shows the limitations of rules-based protections: Most organisations faced threats originating from well-known cloud giants Microsoft and Amazon, whose infrastructure hosts countless legitimate services that organisations rely upon.
  • Novel distribution methods pushed SocGholish into the top five malware by message volume: With a novel distribution method involving drive-by downloads and fake browser updates, the threat actor behind SocGholish—TA569—has increasingly been able to infect websites to deliver malware exclusively through drive-by downloads, tricking victims into downloading it through fake browser updates. Many sites hosting the SocGholish malware are unaware they are hosting it, further proliferating its delivery.
  • Cloud threats have become ubiquitous: 94% of cloud tenants are targeted every month by either a precision or brute-force cloud attack, indicating a frequency on par with email and mobile vectors. The number of brute-force attacks—notably password spraying—increased from a monthly average of 40 million in 2022 to nearly 200 million in early 2023.
  • Abusing the familiarity and trust in major brands is one of the simplest forms of social engineering: Microsoft products and services occupied four of the top five positions for abused brands, with Amazon being the most abused brand.
  • Successful initial access can rapidly lead to domain-wide attacks such as ransomware infection or data theft: As many as 40% of misconfigured, or “shadow” admin identities can be exploited in a single step, such as resetting a domain password to elevate privileges. And 13% of shadow admins were found to already have domain admin privileges, allowing attackers to harvest credentials and access corporate systems. Around 10% of endpoints have an unprotected privileged account password, with 26% of those exposed accounts being domain admins.
  • Emotet roared back as the world’s most prominent threat actor, one year after law enforcement took the botnet offline in January 2021: Yet despite sending over 25 million messages in 2022—more than double the volume of the second most prominent threat actor—Emotet's presence has been intermittent, with the group also showing signs of lethargy in adapting to the post-macro threat landscape. 
  • While financially driven crime largely dominates the threat landscape, a single outlier attack by an Advanced Persistent Threat (APT) actor can have a massive impact: One large campaign by TA471, a Russian-aligned APT group that engages in both corporate and government espionage, propelled that actor to the top of the APT message volume charts. TA416, an APT actor aligned with the Chinese state, was one of the most active. In particular, significant new campaigns by TA416 coincided with the start of the Russia-Ukraine war, targeting European diplomatic entities involved in refugee and migrant services.

To download the 2023 Human Factor report, please visit



About Proofpoint, Inc.

Proofpoint, Inc. is a leading cybersecurity and compliance company that protects organisations’ greatest assets and biggest risks: their people. With an integrated suite of cloud-based solutions, Proofpoint helps companies around the world stop targeted threats, safeguard their data, and make their users more resilient against cyber attacks. Leading organisations of all sizes, including 75 percent of the Fortune 100, rely on Proofpoint for people-centric security and compliance solutions that mitigate their most critical risks across email, the cloud, social media, and the web. More information is available at

Connect with Proofpoint: Twitter LinkedIn | Facebook YouTube

Proofpoint is a registered trademark or tradename of Proofpoint, Inc. in the U.S. and/or other countries. All other trademarks contained herein are the property of their respective owners.